It has been reported that Russian state-sponsored hacking group Energetic Bear has successfully compromised state, local, territorial, and tribal (SLTT) government networks and stole data from at least two servers. The actor, named TEMP.Isotope, has successfully breached systems in the US, EU, and elsewhere and have targeted energy providers, water infrastructure, and even airports
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) reported that the threat actors have been observed targeting the networks of various U.S. SLTT governments, as well as those of aviation organizations
The actors used stolen credentials for initial access and lateral movement to locate high value assets and exfiltrate the data of interest. According to the FBI it doesn’t appear the actor has not intentionally disrupted the organizations operations. However, they may be seeking access to influence U.S. policies and actions in the future.
What to do?
You must must maintain a robust layered cyber defense network with monitoring and detection to reduce an attack’s risk by a known vulnerability and exploit. Insure all cyber defense systems are up to date and active.
What can you do to when this happens to you?
Once a breach has been identified, immediately shut down the network and pinpoint what data has been compromised and/or exfiltrated. Reinstate the network using the most recent non-compromised back-up.
Sources.
https://www.securityweek.com/us-says-russian-hackers-stole-data-two-government-servers
This USVBA Cyber Alert is provided by our partner, 171 Comply. Please visit their website to learn more about CMMC and their services.