Security Experts:

Connect with us

Hi, what are you looking for?



Russian Military Hackers Targeted Credentials at Hundreds of Organizations in US, UK

For the past year, Russia-linked threat actor Strontium has targeted hundreds of organizations in the United States and the United Kingdom to harvest account credentials, Microsoft reveals.

For the past year, Russia-linked threat actor Strontium has targeted hundreds of organizations in the United States and the United Kingdom to harvest account credentials, Microsoft reveals.

Also referred to as APT 28, Fancy Bear, Pawn Storm, Sednit, and Tsar Team, Strontium is believed to be a military unit of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

On Thursday, Microsoft published information on a newly identified Strontium campaign that focused on harvesting Office365 credentials for tens of thousands of accounts at organizations in the US and UK, many of them directly involved in political elections.

The attacks appear to have started in September 2019, and hit more than 200 organizations by June 2020. Between August 18 and September 3, the same attacks were observed targeting 6,912 accounts at 28 organizations.

“None of these accounts were successfully compromised,” Microsoft says, underlining that not all of the targeted entities were election-related.

Previous credential-harvesting efforts from Strontium relied on spear-phishing, such as the attacks leading up to the 2016 US presidential election, but the new campaign employed brute-force/password-spray tooling instead. The shift in tactics was observed for other nation-state actors as well, as it makes attacks more difficult to attribute.

Strontium is using tools to route authentication attempts through roughly 1,100 IPs, most of which associated with the Tor anonymizing service. The pool of IPs, however, is constantly evolving, with approximately 20 IPs added/removed daily.

“STRONTIUM’s tooling alternates its authentication attempts amongst this pool of IPs approximately once per second. Considering the breadth and speed of this technique, it seems likely that STRONTIUM has adapted its tooling to use an anonymizer service to obfuscate its activity, evade tracking, and avoid attribution,” Microsoft explains.

In a two-week timeframe (August 19 – September 3), Strontium used an average of 1,294 daily IPs, associated with 536 netblocks and 273 ASNs. Some of the netblocks were more heavily used than others, and Microsoft believes that the underlying anonymization service is over-serving IPs in these specific netblocks.

“The fact that the anonymization service is over-serving specific netblocks gives defenders an opportunity to hunt for activity associated both with this STRONTIUM activity or other malicious tooling that is utilizing the same anonymization service,” the tech company says.

Strontium was also observed leveraging password-spray tools that try username-password combinations in a “low-’n-slow” manner: roughly four authentication attempts per hour for any targeted account. The attacks last days or weeks, and nearly each of the attempts originates from a different IP address.

“In brute-force mode, the tooling attempts many username: password attempts very rapidly for a much shorter time period. Organizations targeted by the tooling running in this mode typically see over 300 authentication attempts per hour per targeted account over the course of several hours or days,” the company reveals.

Strontium, Microsoft also reveals, is only one of the state-sponsored hacking groups targeting election-related organizations in the US and the UK. The China-linked Zirconium and Iran-backed Phosphorus groups were also observed engaging in such activities recently.

Related: Russian Hackers Target U.S. Campaigns, Parties: Microsoft

Related: NSA Publishes IOCs Associated With Russian Targeting of Exim Servers

Related: Russian Cyberspies Again Target Sporting, Anti-Doping Organizations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.