Russia-linked group that breached US state and local IT draws official accusation from feds

Security researchers have attributed several intrusions to the group known as TEMP.isotope or Energetic Bear, and now federal law enforcement is chiming in with similar accusations.
TEMP.ISOTOPE attribution

It’s no secret that the hacking group often referred to as Energetic Bear or TEMP.Isotope — linked by multiple security firms to Russia — is the prime suspect in a handful of breaches of state and local networks in recent weeks. But now U.S. federal officials are formally blaming the hackers for the activity.

It’s part of a broader U.S effort to more swiftly accuse foreign adversaries of wrongdoing ahead of Election Day while reassuring voters that the election is being protected. In this case, federal officials said the Russian group had used a combination of old and new software vulnerabilities to breach some IT infrastructure used by state and local officials, but that there was no evidence that the “integrity of elections data has been compromised.”

“The Russian state-sponsored APT actor has targeted dozens of SLTT [state, local, territorial and tribal] and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers,” the FBI and U.S. Cybersecurity and Infrastructure Security Agency said in a statement Thursday.

“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations,” the statement continued. “However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.


CyberScoop on Monday first publicly revealed that the TEMP.Isotope group was suspected of being behind the campaign, based on a private analysis from security company FireEye.

Federal officials had previously only alluded to foreign-government involvement in the hacking campaign while encouraging state and local officials to update their software. The activity affected some “elections support systems,” or IT infrastructure that state and local officials use for a range of functions. It did not affect voter registration databases or other more sensitive data, officials said.

TEMP.Isotope is a well-resourced espionage group with a history of targeting Ukraine’s 2019 election as well as energy firms across Europe and the U.S., according to private-sector analysts. The group’s presence on U.S. state and local networks prompted federal officials and private cybersecurity experts to investigate. Election officials were given additional information about the TEMP.Isotope threat as part of a regular classified briefing on Friday, according to a CISA spokesperson.

The cyberdefenses of state and local networks have improved from four years ago, when another set of Russian hackers, allegedly operating on behalf of the GRU military intelligence agency, probed IT systems across the country and compromised Illinois’ voter registration database.

The public attribution for the TEMP.Isotope campaign follows a press conference Wednesday in which U.S. intelligence and national security officials blamed Iran for a series of threatening emails targeting voters. Director of National Intelligence John Ratcliffe also said that Russia and Iran had obtained access to some U.S. voter information, but did not say how. Much of voter registration information is available publicly.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts