Russian Hackers Stole Data from U.S. Government Networks

Recently, a joint cybersecurity advisory has been signed by the Federal Bureau of Investigation (FBI) and the Cybersecurity, and Infrastructure Security Agency (CISA), which affirms that the hackers who are sponsored by Russia have been attempting to crack into U.S. state and regional government computer networks. 

Hackers successfully hacked after trying two times, and the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency has announced in a security alert that there is no proper evidence that asserts any election data has been compromised.

Documents Accessed

The Russian-sponsored APT actor is getting user and administrator credentials to build initial access, which will allow lateral movement after getting inside the network and place high-value assets to exfiltrate all the data. 

That’s why the APT actors laterally negotiate an SLTT victim network and gain access to the sensitive documents, here they are mentioned below:-

  • High-strung network configurations and passwords.
  • Standard operating procedures (SOP), such as entering in multi-factor authentication (MFA).
  • I.T. instructions, such as demanding password resets.
  • Merchants and purchasing data.
  • Publishing access badges.

Technical Details

To connect to the victim web servers, the APT actor actively using the following Turkish IP addresses:-

  • 213.74.101[.]65
  • 213.74.139[.]196
  • 212.252.30[.]170

Apart from this, the threat actors also used 213.74.101[.]65 and 213.74.139[.]196 to strive for the brute force logins. But, after several instances, the threat actors tried Structured Query Language (SQL) injections on victim websites. 

The APT actor also received some malicious domains, that includes all possible flight sector target, Columbusairports.microsoftonline[.]host and [cityname].westus2.cloudapp.azure.com.

All these malicious domains are the U.S. registered and are likely SLTT government targets. Moreover, the APT actors identified and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to gain access to Windows Active Directory (A.D.) servers for all Privilege Escalation. 

The threat actors are gaining the privilege escalation within the network (Valid Accounts [T1078]) as these vulnerabilities can also be leveraged to negotiate other devices on the network so that they can maintain Persistence.

I.P and Domains used

The I.P and Domains that are used in this attack are mentioned below:-

IPs

  • 213.74.101[.]65
  • 213.74.139[.]196
  • 212.252.30[.]170
  • 5.196.167[.]184
  • 37.139.7[.]16
  • 149.56.20[.]55
  • 91.227.68[.]97
  • 138.201.186[.]43
  • 5.45.119[.]124
  • 193.37.212[.]43
  • 146.0.77[.]60
  • 51.159.28[.]101

Domains

  • columbusairports.microsoftonline[.]host
  • microsoftonline[.]host
  • email.microsoftonline[.]services
  • microsoftonline[.]services
  • cityname[.]westus2.cloudapp.azure.com

Mitigations

To mitigate these types of situations and flaws, the security experts have recommended users to keep their VPNs, network infrastructure devices, and other IoT devices updated. Here are the key recommendations provided by security experts:-

  • Execute MFA on all VPN connections to enhance security. 
  • Report all configuration and patch management plans.
  • Always check the network traffic for unexpected and unapproved protocols.
  • Complete MFA, especially for privileged accounts.
  • Prepare separate administrative accounts on separate administration workstations.
  • Keep your software up to date.

On Oct. 9, the FBI and the CISA revealed that the hackers have managed to gain unauthorized access to the election support systems, as they have targeted the state government and local government networks only. However, at the time, the so-called sophisticated hackers didn’t drag Russia for this activity.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Leave a Reply