APT Groups Target U.S. Election

Authors: Jeremy Ware & Darby Wise

TLP: WHITE

1. Executive Summary

On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.^1,2

In an ongoing campaign since September, a Russian state-sponsored APT, known by many names, including Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti and Koala, has been targeting various aviation and U.S. state, local, territorial, and tribal (SLTT) government networks to steal credentials and ultimately exfiltrate any valuable data.

Iranian APTs known for a significant number of intrusions against various U.S. networks are now likely seeking to influence the upcoming election by spoofing media sites to spread anti-American propaganda and misinformation on voter suppression and fraud.

2. Analysis

   • Russian APTs

Since February, the Russian state-sponsored APT has been conducting brute force attacks and structured query language (SQL) injections, hosting malicious domains, as well as exploiting several Common Vulnerabilities and Exposures (CVEs) such as a Citrix Directory Traversal Bug (CVE-2019-19781)³ and a Microsoft Exchange remote code execution flaw (CVE-2020-0688).⁴ This APT is also known to utilize Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim’s network, potentially by utilizing an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149)⁵ (External Remote Services [T1133]).⁶

According to the report, most recent attacks by this APT exploited a Fortinet VPN vulnerability for Initial Access [TA0001],⁷ along with the Windows Netlogon vulnerability (CVE-2020-1472).⁸ The actor then pivoted to obtain access to Windows Active Directory (AD) servers to elevate their privileges [TA0004]⁹ within the network. The use of these vulnerabilities allows for the threat actors to compromise additional devices on the network and maintain persistence [TA0003].¹⁰

The APT used these techniques to target aviation and SLTT government networks, and has successfully exfiltrated data from at least two victim servers. This data includes sensitive network configurations, passwords, vendor and purchasing information, printing access badges and standard operating procedures (SOP). There is currently no direct evidence indicating this actor has already intentionally interfered with government, aviation, or U.S. election operations. However, the report suggests that this actor could be targeting the organizations to gain access for future operations targeting U.S. policies or SLTT government entities.

• • Iranian APTs 

Since August 2019, Iranian APTs have carried out numerous attacks targeting U.S.-based networks. In these attacks, the actors have exploited several CVEs concerning content management systems (CMSs) and VPNs, including CVE-2020-5902¹¹ and CVE-2017-9248.¹² CVE-2020-5902 specifically highlights vulnerabilities in F5’s BIG-IP VPNs that allow threat actors to execute arbitrary commands, disable services, etc.¹³ CVE-2017-9248 references a weakness that exists in the Telerik UI dynamic-link library (DLL) Telerik.Web.UI.dll. This vulnerability could potentially result in cross-site scripting (XSS) attacks.¹⁴

According to the report, these actors have also conducted various kinds of attacks, including SQL injections and distributed denial-of-service (DDoS) attacks, website defacements, as well as spear-phishing and disinformation campaigns. The APTs have been combining these activities with the exploitation of certain CVEs to attempt to disrupt the upcoming U.S. presidential election.

• Threat actors use SQL injections to insert and execute malicious code in applications and websites. Injecting into the CMS of a media company or election-related website would give the actor access to the website’s network, allowing them to manipulate its content and insert falsified information.
• The APT could use DDoS attacks to prevent users from accessing important online resources related to elections, such as websites with voting information or unofficial results. These attacks could flood election-related websites with server requests, potentially slowing them down to the point of being inaccessible.
• Similar to the SQL injections, threat actors can use website defacements to manipulate the content of an election-related website by compromising vulnerabilities in its CMS. Threat actors could delegitimize these websites and impact the public’s view by uploading any kind of images to the website’s landing page.
• Malspam campaigns use spear-phishing emails with malicious links or attachments to lure users into entering sensitive information such as credentials. Threat actors are then able to steal this information and use it to gain access to a victim’s system. In this case, Iranian APTs could use the stolen credentials to access a victim’s email and contact list to spread falsified information.
• Threat actors use disinformation campaigns to undermine confidence in the electoral system. These campaigns use social media, along with fake and spoofed media websites to spread falsified information to a large audience. Various social media companies have attempted to minimize these campaigns by removing posts with falsified news stories, along with the accounts that spread them, but these efforts are not enough to fully prevent this kind of malicious activity.

3. Prevention and Mitigation

CISA and the FBI provide a set of recommendations in each report to mitigate the effects of the APTs, including the following table with patch information on specific vulnerabilities targeted by the Russian APT:

Table 1: Patch information for CVEs¹⁵

Vulnerability	Vulnerable Products	Patch Information
CVE-2019-19781	Citrix Application Delivery Controller Citrix Gateway Citrix SDWAN WANOP	Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3 Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0 Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5
CVE-2020-0688	Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Update 14	Microsoft Security Advisory for CVE-2020-0688
CVE-2020-0688	Microsoft Exchange Server 2016 Cumulative Update 15 Microsoft Exchange Server 2019 Cumulative Update 3 Microsoft Exchange Server 2019 Cumulative Update 4	Microsoft Security Advisory for CVE-2020-0688
CVE-2019-10149	Exim versions 4.87–4.91	Exim page for CVE-2019-10149
CVE-2018-13379	FortiOS 6.0: 6.0.0 to 6.0.4 FortiOS 5.6: 5.6.3 to 5.6.7 FortiOS 5.4: 5.4.6 to 5.4.12	Fortinet Security Advisory: FG-IR-18-384
CVE-2020-1472	Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server, version 1903  (Server Core installation) Windows Server, version 1909  (Server Core installation) Windows Server, version 2004   (Server Core installation)	Microsoft Security Advisory for CVE-2020-1472

 

4. Indicators of Compromise

Below is a list of the indicators of compromise (IOCs) used in the Russian APT’s malicious activities:

Indicator	Description
213[.]74[.]101[.]65 213[.]74[.]139[.]196 212[.]252[.]30[.]170 5[.]196[.]167[.]184 37[.]139[.]7[.]16 149[.]56[.]20[.]55 91[.]227[.]68[.]97 138[.]201[.]186[.]43 5[.]45[.]119[.]124 193[.]37[.]212[.]43 146[.]0[.]77[.]60 51[.]159[.]28[.]101	Russian APT IPs
columbusairports[.]microsoftonline[.]host microsoftonline[.]host email[.]microsoftonline[.]services microsoftonline[.]services cityname[.]westus2[.]cloudapp[.]azure[.]com	Russian APT domains

Endnotes

1. https://us-cert.cisa.gov/ncas/alerts/aa20-296a
2. https://us-cert.cisa.gov/ncas/alerts/aa20-296b
3. https://nvd.nist.gov/vuln/detail/CVE-2019-19781
4. https://nvd.nist.gov/vuln/detail/CVE-2020-0688
5. https://nvd.nist.gov/vuln/detail/CVE-2019-10149
6. https://attack.mitre.org/versions/v7/techniques/T1133/
7. https://attack.mitre.org/versions/v7/tactics/TA0001/
8. https://nvd.nist.gov/vuln/detail/CVE-2018-13379
9. https://attack.mitre.org/versions/v7/tactics/TA0004/
10. https://attack.mitre.org/versions/v7/tactics/TA0003/
11. https://nvd.nist.gov/vuln/detail/CVE-2020-5902
12. https://nvd.nist.gov/vuln/detail/CVE-2017-9248
13. https://support.f5.com/csp/article/K52145254
14. https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
15. https://us-cert.cisa.gov/ncas/alerts/aa20-296a