Industry alert pins state, local government hacking on suspected Russian group

Temp.Isotope has been implicated in cyber activity targeting the 2019 Ukrainian election and a previous campaign against U.S. energy companies.
Moscow, Russia
Architecture and landmarks of Moscow, Russia. (Getty Images)

Suspected Russian hackers were behind multiple recent intrusions of U.S. state and local computer networks, according to an industry analysis obtained by CyberScoop.

The group responsible is known as TEMP.Isotope, according to a private advisory distributed by Mandiant, the incident response arm of security company FireEye. The alert notes that the same group has also been described as Energetic Bear, which multiple security firms have linked to Russia.

The FBI and the U.S. Cybersecurity and Infrastructure Security Agency on Oct. 9 publicized a hacking campaign in which attackers breached some “elections support systems,” or IT infrastructure that state and local officials use for a range of functions. Those systems are not involved in tallying votes, and the advisory from U.S. officials noted that there was no evidence that the “integrity of elections data has been compromised.”

The federal advisory did not blame a particular hacking group for the activity, saying only that the campaign was the work of advanced persistent threat (APT) actors, or attackers linked to one or more foreign governments. It was unclear if any other APT groups, from other countries, were implicated in the advisory.


However, IP addresses used in the hacking were previously employed by the TEMP.Isotope group, according to Mandiant. The hackers exploited a recently revealed vulnerability in a protocol that Microsoft uses to authenticate its users. CISA on Sept. 18 ordered all federal civilian agencies to update their software to address the flaw because of the risk it carried.

The apparent Russian effort to breach state and local networks so close to the U.S. election has had federal officials and private sector experts focused on investigating and remediating the issue. Election officials were given additional information about the threat as part of a regular classified briefing on Friday, according to a CISA spokesperson.

From broad scanning to software exploits

The specific motive of the recent TEMP.Isotope activity is unclear. The hackers did not appear to be targeting state and local networks “because of their proximity to elections information,” U.S. officials said in their advisory.

The activity described by the federal advisory started with broad scanning of vulnerable systems across federal, state and local networks, as well as critical infrastructure in the private sector, the CISA spokesperson said Monday.


“Once vulnerable systems are identified, the actors attempt to compromise the systems using a combination of techniques,” the CISA statement continued. “While we are aware of limited instances where these efforts resulted in unauthorized access to IT systems used by elections officials, we have no evidence or reason to believe that election-related data like voter registration information, or voting machines or tabulation systems, have been affected.”

Mandiant’s advisory did not mention the Russian government.

FireEye itself has described TEMP.Isotope as a “Russian actor” and linked the group directly to a 2018 U.S. advisory that blamed the Russian government for cyberattacks.

A FireEye spokesperson declined to comment on the advisory.

A group with a track record


TEMP.Isotope is perhaps best known for its aggressive campaigns to infiltrate energy companies in the U.S. and Europe. The alleged Russian hackers previously engaged in a years-long effort to breach U.S. energy firms, according to the aforementioned U.S. government advisory and private sector cybersecurity specialists.

The cyberdefenses of state and local networks have improved from four years ago, when another set of Russian hackers, allegedly operating on behalf of the GRU military intelligence agency, probed IT systems across the country and compromised Illinois’ voter registration database.

A spokesperson for the Russian Embassy in Washington, D.C., did not respond to a request for comment on the Mandiant advisory. Russia has repeatedly rejected allegations that it conducts cyberattacks.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts