American and British intelligence agencies said Thursday that Russian military intelligence conducted at least a year-and-a-half-long “brute force” cyber campaign targeting the cloud and network services of U.S. and global organizations.
The cyber campaign went after government and military organizations, political parties and consultants, think tanks, law firms, media companies, educational institutions, defense contractors, logistics companies and energy companies, according to a cybersecurity advisory from the National Security Agency, FBI, Cybersecurity and Infrastructure Security Agency, and a division of the Government Communications Headquarters in Britain.
“Since at least mid-2019 through early 2021, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes® cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide,” read the cybersecurity advisory from the intelligence agencies. “GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers. The 85th GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365® cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols.”
NSA Cybersecurity Director Rob Joyce tweeted that using multi-factor authentication would go a long way to combatting the Russian threat that he said was “likely ongoing.”
According to NSA, the cyber attackers used the brute force techniques to discover valid credentials through extensive login attempts and sometimes by guessing common passwords or utilizing leaked usernames and passwords.
“While the brute force technique is not new, the GTsSS uniquely leveraged software containers to easily scale its brute force attempts,” said NSA in a statement. “Once valid credentials were discovered, the GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. This, along with various techniques also detailed in the advisory, allowed the actors to evade defenses and collect and exfiltrate various information in the networks, including mailboxes.”
The details of Russian hacking efforts follow on the Biden administration’s previous actions sanctioning Russia and blaming the Russian Foreign Intelligence Service (SVR) for the hack of SolarWinds computer network management software that compromised nine U.S. federal agencies.
While SVR got attention for the SolarWinds fiasco, Thursday’s alert serves as a reminder not to ignore the GRU either, according to John Hultquist, vice president at cybersecurity firm FireEye’s Mandiant division.
“Don’t sleep on the GRU,” Mr. Hultquist tweeted. “Russia’s most aggressive capability is not going away. At the very least, cyber espionage is here to stay. Kudos to CISA/FBI/NSA for adding friction to their ops.”