{"id":5647,"date":"2020-10-27T16:51:38","date_gmt":"2020-10-27T23:51:38","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5647"},"modified":"2024-04-26T13:21:11","modified_gmt":"2024-04-26T20:21:11","slug":"apt-groups-target-u-s-election","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/","title":{"rendered":"APT Groups Target U.S. Election"},"content":{"rendered":"<p>Authors: Jeremy Ware &amp; Darby Wise<\/p>\n<p>TLP: WHITE<\/p>\n<ol>\n<li>\n<h3><strong>Executive Summary<\/strong><\/h3>\n<\/li>\n<\/ol>\n<p>On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.<sup>1,2<\/sup><\/p>\n<p>In an ongoing campaign since September, a Russian state-sponsored APT, known by many names, including Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti and Koala, has been targeting various aviation and U.S. state, local, territorial, and tribal (SLTT) government networks to steal credentials and ultimately exfiltrate any valuable data.<\/p>\n<p>Iranian APTs known for a significant number of intrusions against various U.S. networks are now likely seeking to influence the upcoming election by spoofing media sites to spread anti-American propaganda and misinformation on voter suppression and fraud.<\/p>\n<ol start=\"2\">\n<li>\n<h3><strong>Analysis<\/strong><\/h3>\n<ul>\n<li><strong>Russian APTs<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>Since February, the Russian state-sponsored APT has been conducting brute force attacks and structured query language (SQL) injections, hosting malicious domains, as well as exploiting several Common Vulnerabilities and Exposures (CVEs) such as a Citrix Directory Traversal Bug (CVE-2019-19781<em>)<\/em><em><sup>3<\/sup><\/em> and a Microsoft Exchange remote code execution flaw (CVE-2020-0688).<sup>4<\/sup> This APT is also known to utilize Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim\u2019s network, potentially by utilizing an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149)<sup>5<\/sup> (External Remote Services [T1133]).<sup>6<\/sup><\/p>\n<p>According to the report, most recent attacks by this APT exploited a Fortinet VPN vulnerability for Initial Access [TA0001],<sup>7<\/sup> along with the Windows Netlogon vulnerability (CVE-2020-1472).<sup>8<\/sup> The actor then pivoted to obtain access to Windows Active Directory (AD) servers to elevate their privileges [TA0004]<sup>9<\/sup> within the network. The use of these vulnerabilities allows for the threat actors to compromise additional devices on the network and maintain persistence [TA0003].<sup>10<\/sup><\/p>\n<p>The APT used these techniques to target aviation and SLTT government networks, and has successfully exfiltrated data from at least two victim servers. This data includes sensitive network configurations, passwords, vendor and purchasing information, printing access badges and standard operating procedures (SOP). There is currently no direct evidence indicating this actor has already intentionally interfered with government, aviation, or U.S. election operations. However, the report suggests that this actor could be targeting the organizations to gain access for future operations targeting U.S. policies or SLTT government entities.<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>Iranian APTs\u00a0<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Since August 2019, Iranian APTs have carried out numerous attacks targeting U.S.-based networks. In these attacks, the actors have exploited several CVEs concerning content management systems (CMSs) and VPNs, including CVE-2020-5902<sup>11<\/sup> and CVE-2017-9248.<sup>12<\/sup> CVE-2020-5902 specifically highlights vulnerabilities in F5\u2019s BIG-IP VPNs that allow threat actors to execute arbitrary commands, disable services, etc.<sup>13<\/sup> CVE-2017-9248 references a weakness that exists in the Telerik UI dynamic-link library (DLL) <em>Telerik.Web.UI.dll<\/em>. This vulnerability could potentially result in cross-site scripting (XSS) attacks.<sup>14<\/sup><\/p>\n<p>According to the report, these actors have also conducted various kinds of attacks, including SQL injections and distributed denial-of-service (DDoS) attacks, website defacements, as well as spear-phishing and disinformation campaigns. The APTs have been combining these activities with the exploitation of certain CVEs to attempt to disrupt the upcoming U.S. presidential election.<\/p>\n<ul>\n<li>Threat actors use SQL injections to insert and execute malicious code in applications and websites. Injecting into the CMS of a media company or election-related website would give the actor access to the website\u2019s network, allowing them to manipulate its content and insert falsified information.<\/li>\n<li>The APT could use DDoS attacks to prevent users from accessing important online resources related to elections, such as websites with voting information or unofficial results. These attacks could flood election-related websites with server requests, potentially slowing them down to the point of being inaccessible.<\/li>\n<li>Similar to the SQL injections, threat actors can use website defacements to manipulate the content of an election-related website by compromising vulnerabilities in its CMS. Threat actors could delegitimize these websites and impact the public\u2019s view by uploading any kind of images to the website\u2019s landing page.<\/li>\n<li>Malspam campaigns use spear-phishing emails with malicious links or attachments to lure users into entering sensitive information such as credentials. Threat actors are then able to steal this information and use it to gain access to a victim\u2019s system. In this case, Iranian APTs could use the stolen credentials to access a victim\u2019s email and contact list to spread falsified information.<\/li>\n<li>Threat actors use disinformation campaigns to undermine confidence in the electoral system. These campaigns use social media, along with fake and spoofed media websites to spread falsified information to a large audience. Various social media companies have attempted to minimize these campaigns by removing posts with falsified news stories, along with the accounts that spread them, but these efforts are not enough to fully prevent this kind of malicious activity.<\/li>\n<\/ul>\n<ol start=\"3\">\n<li>\n<h3><strong>Prevention and Mitigation<\/strong><\/h3>\n<\/li>\n<\/ol>\n<p>CISA and the FBI provide a set of recommendations in each report to mitigate the effects of the APTs, including the following table with patch information on specific vulnerabilities targeted by the Russian APT:<\/p>\n<p><em>Table 1: Patch information for CVEs<\/em><em><sup>15<\/sup><\/em><\/p>\n<table width=\"672\">\n<tbody>\n<tr>\n<td><strong>Vulnerability<\/strong><\/td>\n<td><strong>Vulnerable Products<\/strong><\/td>\n<td><strong>Patch Information<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\n<p style=\"text-align: center;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-19781\">CVE-2019-19781<\/a><\/p>\n<\/td>\n<td style=\"text-align: center;\">Citrix Application Delivery Controller<\/p>\n<p>Citrix Gateway<\/p>\n<p>Citrix SDWAN WANOP<\/p>\n<p>&nbsp;<\/td>\n<td style=\"text-align: center;\"><a href=\"https:\/\/www.citrix.com\/blogs\/2020\/01\/19\/vulnerability-update-first-permanent-fixes-available-timeline-accelerated\/\">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0<\/a><\/p>\n<p><a href=\"https:\/\/www.citrix.com\/blogs\/2020\/01\/22\/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop\/\">Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3<\/a><\/p>\n<p><a href=\"https:\/\/www.citrix.com\/blogs\/2020\/01\/23\/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0\/\">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0<\/a><\/p>\n<p><a href=\"https:\/\/www.citrix.com\/blogs\/2020\/01\/24\/citrix-releases-final-fixes-for-cve-2019-19781\/\">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5<\/a><\/td>\n<\/tr>\n<tr>\n<td>\n<p style=\"text-align: center;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-0688\">CVE-2020-0688<\/a><\/p>\n<\/td>\n<td>Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30<\/p>\n<p>Microsoft Exchange Server 2013 Cumulative Update 23<\/p>\n<p>Microsoft Exchange Server 2016 Cumulative Update 14<\/td>\n<td><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0688\">Microsoft Security Advisory for CVE-2020-0688<\/a><\/td>\n<\/tr>\n<tr>\n<td>\n<p style=\"text-align: center;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-0688\">CVE-2020-0688<\/a><\/p>\n<\/td>\n<td>Microsoft Exchange Server 2016 Cumulative Update 15<\/p>\n<p>Microsoft Exchange Server 2019 Cumulative Update 3<\/p>\n<p>Microsoft Exchange Server 2019 Cumulative Update 4<\/td>\n<td><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0688\">Microsoft Security Advisory for CVE-2020-0688<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-10149\">CVE-2019-10149<\/a><\/td>\n<td>Exim versions 4.87\u20134.91<\/td>\n<td><a href=\"https:\/\/www.exim.org\/static\/doc\/security\/CVE-2019-10149.txt\">Exim page for CVE-2019-10149<\/a><\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-13379\">CVE-2018-13379<\/a><\/td>\n<td>FortiOS 6.0: 6.0.0 to 6.0.4<\/p>\n<p>FortiOS 5.6: 5.6.3 to 5.6.7<\/p>\n<p>FortiOS 5.4: 5.4.6 to 5.4.12<\/td>\n<td><a href=\"https:\/\/www.fortiguard.com\/psirt\/FG-IR-18-384\">Fortinet Security Advisory: FG-IR-18-384<\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-1472\">CVE-2020-1472<\/a><\/td>\n<td style=\"text-align: center;\">Windows Server 2008 R2 for x64-based Systems Service Pack 1<\/p>\n<p>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)<\/p>\n<p>Windows Server 2012<\/p>\n<p>Windows Server 2012 (Server Core installation)<\/p>\n<p>Windows Server 2012 R2<\/p>\n<p>Windows Server 2016<\/p>\n<p>Windows Server 2019<\/p>\n<p>Windows Server 2019 (Server Core installation)<\/p>\n<p>Windows Server, version 1903\u00a0 (Server Core installation)<\/p>\n<p>Windows Server, version 1909\u00a0 (Server Core installation)<\/p>\n<p>Windows Server, version 2004 \u00a0 (Server Core installation)<\/td>\n<td>\n<p style=\"text-align: center;\"><a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1472\">Microsoft Security Advisory for CVE-2020-1472<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<ol start=\"4\">\n<li>\n<h3><strong>Indicators of Compromise<\/strong><\/h3>\n<\/li>\n<\/ol>\n<p>Below is a list of the indicators of compromise (IOCs) used in the Russian APT\u2019s malicious activities:<\/p>\n<table width=\"647\">\n<tbody>\n<tr>\n<td width=\"461\"><strong>Indicator<\/strong><\/td>\n<td width=\"186\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"461\">\n<p style=\"text-align: center;\">213[.]74[.]101[.]65<\/p>\n<p style=\"text-align: center;\">213[.]74[.]139[.]196<\/p>\n<p style=\"text-align: center;\">212[.]252[.]30[.]170<\/p>\n<p style=\"text-align: center;\">5[.]196[.]167[.]184<\/p>\n<p style=\"text-align: center;\">37[.]139[.]7[.]16<\/p>\n<p style=\"text-align: center;\">149[.]56[.]20[.]55<\/p>\n<p style=\"text-align: center;\">91[.]227[.]68[.]97<\/p>\n<p style=\"text-align: center;\">138[.]201[.]186[.]43<\/p>\n<p style=\"text-align: center;\">5[.]45[.]119[.]124<\/p>\n<p style=\"text-align: center;\">193[.]37[.]212[.]43<\/p>\n<p style=\"text-align: center;\">146[.]0[.]77[.]60<\/p>\n<p style=\"text-align: center;\">51[.]159[.]28[.]101<\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"186\">Russian APT IPs<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"461\">\n<p style=\"text-align: center;\">columbusairports[.]microsoftonline[.]host<\/p>\n<p style=\"text-align: center;\">microsoftonline[.]host<\/p>\n<p style=\"text-align: center;\">email[.]microsoftonline[.]services<\/p>\n<p style=\"text-align: center;\">microsoftonline[.]services<\/p>\n<p style=\"text-align: center;\">cityname[.]westus2[.]cloudapp[.]azure[.]com<\/p>\n<\/td>\n<td width=\"186\">\n<p style=\"text-align: center;\">Russian APT domains<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Endnotes<\/strong><\/p>\n<ol>\n<li>https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-296a<\/li>\n<li>https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-296b<\/li>\n<li>https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-19781<\/li>\n<li>https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-0688<\/li>\n<li>https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-10149<\/li>\n<li>https:\/\/attack.mitre.org\/versions\/v7\/techniques\/T1133\/<\/li>\n<li>https:\/\/attack.mitre.org\/versions\/v7\/tactics\/TA0001\/<\/li>\n<li>https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-13379<\/li>\n<li>https:\/\/attack.mitre.org\/versions\/v7\/tactics\/TA0004\/<\/li>\n<li>https:\/\/attack.mitre.org\/versions\/v7\/tactics\/TA0003\/<\/li>\n<li>https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-5902<\/li>\n<li>https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-9248<\/li>\n<li>https:\/\/support.f5.com\/csp\/article\/K52145254<\/li>\n<li>https:\/\/www.telerik.com\/support\/kb\/aspnet-ajax\/details\/cryptographic-weakness<\/li>\n<li>https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-296a<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authors: Jeremy Ware &amp; Darby Wise TLP: WHITE Executive Summary On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.1,2 In an ongoing campaign [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":2809,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[340,339,334,308,367,341],"class_list":{"0":"post-5647","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-advanced-persistent-threat","9":"tag-apt","10":"tag-cisa","11":"tag-fbi","12":"tag-government","13":"tag-russian-state-sponsored","14":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>APT Groups Target U.S. Election<\/title>\n<meta name=\"description\" content=\"On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"APT Groups Target U.S. Election\" \/>\n<meta property=\"og:description\" content=\"On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-10-27T23:51:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:21:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Avoiding-VDI-Voodoo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"APT Groups Target U.S. Election\",\"datePublished\":\"2020-10-27T23:51:38+00:00\",\"dateModified\":\"2024-04-26T20:21:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/\"},\"wordCount\":1232,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Avoiding-VDI-Voodoo.jpg\",\"keywords\":[\"advanced persistent threat\",\"apt\",\"CISA\",\"FBI\",\"Government\",\"Russian state-sponsored\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/\",\"name\":\"APT Groups Target U.S. Election\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Avoiding-VDI-Voodoo.jpg\",\"datePublished\":\"2020-10-27T23:51:38+00:00\",\"dateModified\":\"2024-04-26T20:21:11+00:00\",\"description\":\"On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Avoiding-VDI-Voodoo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Avoiding-VDI-Voodoo.jpg\",\"width\":660,\"height\":454,\"caption\":\"Avoiding VDI Voodoo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/apt-groups-target-u-s-election\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"APT Groups Target U.S. Election\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"APT Groups Target U.S. Election","description":"On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/","og_locale":"en_US","og_type":"article","og_title":"APT Groups Target U.S. Election","og_description":"On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/","og_site_name":"Infoblox Blog","article_published_time":"2020-10-27T23:51:38+00:00","article_modified_time":"2024-04-26T20:21:11+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Avoiding-VDI-Voodoo.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"APT Groups Target U.S. Election","datePublished":"2020-10-27T23:51:38+00:00","dateModified":"2024-04-26T20:21:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/"},"wordCount":1232,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Avoiding-VDI-Voodoo.jpg","keywords":["advanced persistent threat","apt","CISA","FBI","Government","Russian state-sponsored"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/","name":"APT Groups Target U.S. Election","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Avoiding-VDI-Voodoo.jpg","datePublished":"2020-10-27T23:51:38+00:00","dateModified":"2024-04-26T20:21:11+00:00","description":"On 22 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published two joint advisories on Russian-state sponsored and Iranian advanced persistent threat actors (APTs) targeting various U.S. government networks and the upcoming U.S. election.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Avoiding-VDI-Voodoo.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Avoiding-VDI-Voodoo.jpg","width":660,"height":454,"caption":"Avoiding VDI Voodoo"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/apt-groups-target-u-s-election\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"APT Groups Target U.S. Election"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=5647"}],"version-history":[{"count":3,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5647\/revisions"}],"predecessor-version":[{"id":5651,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5647\/revisions\/5651"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/2809"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=5647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=5647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=5647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}