WASHINGTON (AP) – US and British agencies on Thursday revealed details of “brute force” methods that they say have been used by Russian intelligence to try to access the cloud services of hundreds of government agencies, companies of energy and other organizations.
An advisory published by the US National Security Agency describes attacks by agents linked to the GRU, the Russian military intelligence agency, which has previously been linked to major cyberattacks abroad and efforts to disrupt US elections in 2016 and 2020.
In a statement, NSA cybersecurity director Rob Joyce said the campaign “was probably ongoing, on a global scale.”
Brute force attacks involve the automated propagation of sites with potential passwords until hackers gain access. The advisory urges companies to adopt methods long urged by experts such as common sense cyber hygiene, including using multi-factor authentication and requiring strong passwords.
Issued during a devastating wave of ransomware attacks against governments and key infrastructure, the advisory does not reveal the specific objectives of the campaign or its alleged purpose, and only says that hackers have targeted hundreds of organizations around the world.
The NSA says that GRU-linked operatives have tried to break into networks using Kubernetes, an open source tool originally developed by Google to manage cloud services, from at least mid-2019 to early this year. While a “significant number” of theft attempts targeted organizations using Microsoft’s Office 365 cloud services, the hackers also targeted other cloud providers and email servers, the NSA said.
The United States has long accused Russia of using and tolerating cyber attacks for espionage, the spread of disinformation, and the disruption of governments and key infrastructure. The Russian embassy in Washington did not immediately respond to a request for comment Thursday.
Joe Slowik, a threat analyst at network monitoring firm Gigamon, said the activity described by the NSA on Thursday shows that GRU has further simplified an already popular technique for entering networks. He said it appears to overlap with Department of Energy reports of brute force intrusion attempts in late 2019 and early 2020 targeting the US government and energy sectors.
Slowik said that the use of Kubernetes “is certainly a bit unique, although on its own it doesn’t seem worrisome.” He said the brute force method and lateral movement within networks described by the NSA are common among state-backed hackers and criminal ransomware gangs, allowing GRU to mix with other actors.
John Hultquist, vice president of analytics at cybersecurity firm Mandiant, characterized the activity described in the ad as “routine collection against policy makers, diplomats, the military, and the defense industry.”
“This is a good reminder that the GRU remains an imminent threat, which is especially important considering the upcoming Olympics, an event that they might as well attempt to disrupt,” Hultquist said in a statement.
The FBI and the Cybersecurity and Infrastructure Security Agency joined in on the advisory, as did Britain’s National Cybersecurity Center.
The GRU has been repeatedly linked by US officials in recent years to a series of hacking incidents. In 2018, the office of special counsel Robert Mueller charged 12 military intelligence officers with hacking Democratic emails that were later released by WikiLeaks in an effort to damage Hillary Clinton’s presidential campaign and boost Donald Trump’s candidacy.
More recently, the Justice Department announced charges last fall against GRU officials in cyberattacks that targeted a French presidential election, the Winter Olympics in South Korea, and American companies.
Unlike Russia’s foreign intelligence agency SVR, which is blamed for the SolarWinds hacking campaign and is careful not to be detected in its cyber operations, the GRU has carried out the most damaging cyberattacks on record, including two in Ukraine’s power grid and the 2017 NotPetya virus, which caused more than $ 10 billion in damage globally.
GRU operatives have also been involved in the spread of misinformation related to the coronavirus pandemic, US officials have alleged. And an American intelligence assessment in March says that GRU tried to monitor people in American politics in 2019 and 2020 and organized a phishing campaign against subsidiaries of the Ukrainian energy company Burisma, likely to gather information damaging to President Joe. Biden, whose son had worked before. on board.
In April, the Biden administration sanctioned Russia after linking it to election interference and violation of SolarWinds.
