Rewterz Threat Alert – Russian State-Sponsored Advanced Persistent Threat Actors

Severity

Medium

Analysis Summary

Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and exfiltrated data from at least two victim servers. The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to Sensitive network configurations and passwords, Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA), IT instructions, such as requesting password resets, Vendors and purchasing information, Printing access badges etc.

Impact

• Credential Theft
• Exposure of Sensitive Information

Indicators of Compromise

Domain Name

• email[.]microsoftonline[.]services
• columbusairports[.]microsoftonline[.]host

Source IP

• 212[.]252[.]30[.]170
• 91[.]227[.]68[.]97
• 146[.]0[.]77[.]60
• 213[.]74[.]139[.]196
• 37[.]139[.]7[.]16
• 138[.]201[.]186[.]43
• 193[.]37[.]212[.]43
• 5[.]196[.]167[.]184
• 213[.]74[.]101[.]65
• 149[.]56[.]20[.]55
• 51[.]159[.]28[.]101
• 5[.]45[.]119[.]124

Remediation

• Block the threat indicators at their respective controls.
• Keep all systems and software updated to latest patched versions.