Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Russians Used Brute Force Attacks Against Hundreds of Orgs: Security Agencies

Security agencies in the United States and United Kingdom issued an advisory on Thursday to warn organizations about an ongoing global campaign involving brute force techniques.

Security agencies in the United States and United Kingdom issued an advisory on Thursday to warn organizations about an ongoing global campaign involving brute force techniques.

The NSA, CISA, FBI and the UK’s National Cyber Security Centre (NCSC) have attributed the campaign to the Russian government, specifically a cyber espionage group linked to Russia’s General Staff Main Intelligence Directorate (GRU).

The threat actor has been tracked as APT28, Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team, and it has been known to target many organizations around the world.

Russian hackers use brute force attacksAccording to the agencies, brute-force access attempts have been used against hundreds of organizations worldwide, particularly in the United States and Europe. Targeted organizations include government and military, political consultants and parties, defense contractors, energy firms, logistics companies, think tanks, universities, law firms and media companies.

“Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords. While the brute force technique is not new, the GTsSS uniquely leveraged software containers to easily scale its brute force attempts,” the agencies said.

The campaign, which appears to have started in mid-2019, has leveraged a Kubernetes clustered to conduct what has been described as “widespread, distributed and anonymized brute force access attempts.” While some of these attempts were served directly from nodes in this cluster, in most cases the attacks went through the Tor network and various commercial VPN services.

The brute force attacks have been combined with exploitation of known vulnerabilities, such as the Microsoft Exchange flaws that have been leveraged in many attacks over the past months.

The agencies said much of the brute force activity was aimed at organizations using Microsoft 365 cloud services, but the hackers also targeted other service providers, as well as on-premises email servers.

“APT28 conducts intelligence collection against these targets regularly as part of its remit as the cyber arm of a military intelligence agency,” John Hultquist, VP of analysis at Mandiant Threat Intelligence, said in an email. “The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns. Despite our best efforts we are very unlikely to ever stop Moscow from spying.”

“This is a good reminder that the GRU remains a looming threat, which is especially important given the upcoming Olympics, an event they may well attempt to disrupt,” Hultquist added.

The advisory released by the security agencies includes information on known TTPs, recommendations for detection and mitigations, IP addresses, user agents, and Yara rules associated with the attacks.

Nearly one year ago, Microsoft warned that APT28 had been harvesting Office365 credentials for tens of thousands of accounts at organizations in the US and UK.

Related: US-UK Gov Warning: SolarWinds Attackers Add Open-Source PenTest Tool to Arsenal

Related: Russian Hackers Use New ‘SkinnyBoy’ Malware in Attacks on Military, Government Orgs

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...