US and British intelligence agencies said on Thursday that Russian military intelligence carried out a cyber “brute force” campaign of at least a year and a half targeting the cloud and network services of US and global organizations.
The cyber campaign went after government and military organizations, political parties and consultants, think tanks, law firms, media companies, educational institutions, defense contractors, logistics companies and energy companies, according to a cybersecurity advisory from the Agency of National Security, FBI, Cybersecurity. and the Infrastructure Security Agency, and a division of the Government Communications Headquarters in Great Britain.
“From at least mid-2019 to early 2021, the 85th Main Special Services Center (GTsSS) of the Main Intelligence Directorate of the Russian General Staff (GRU), military unit 26165, used a group of Kubernetes® to conduct widespread, distributed and anonymous brute force access attempts against hundreds of government and private sector targets around the world, ”reads the intelligence agencies’ cybersecurity advisory. “Malicious cyber activity by GTsSS has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium and a variety of other identifiers. The 85th GTsSS directed a significant amount of this activity to organizations using Microsoft Office 365® cloud services; however, they also targeted other local email servers and service providers using a variety of different protocols. ”
The NSA’s director of cybersecurity, Rob Joyce, tweeted that the use of multi-factor authentication would go a long way toward combating the Russian threat, which he said was “probably ongoing.”
According to the NSA, cyber attackers used brute force techniques to discover valid credentials through extensive login attempts and sometimes by guessing common passwords or using leaked usernames and passwords.
“While the brute force technique is not new, GTsSS uniquely leveraged software containers to easily scale its brute force attempts,” the NSA said in a statement. “Once the valid credentials were discovered, GTsSS combined them with various publicly known vulnerabilities to gain greater access to the victims’ networks. This, along with various techniques also detailed in the notice, allowed the actors to evade defenses and collect and exfiltrate various information on the networks, including mailboxes ”.
Details of Russian hacking efforts follow previous actions by the Biden administration that sanctioned Russia and blamed Russia’s Foreign Intelligence Service (SVR) for hacking into SolarWinds computer network management software that compromised nine federal agencies of the USA
While SVR drew attention to the SolarWinds fiasco, Thursday’s alert serves as a reminder not to ignore the GRU either, according to John Hultquist, vice president of the Mandiant division at cybersecurity firm FireEye.
“Don’t sleep on the GRU,” Mr. Hultquist tweeted. “The most aggressive capacity of Russia will not disappear. At the very least, cyber espionage is here to stay. Congratulations to CISA / FBI / NSA for adding friction to their operations. “