Security agencies in the United States and United Kingdom issued an advisory on Thursday to warn organizations about an ongoing global campaign involving brute force techniques.
The NSA, CISA, FBI and the UK’s National Cyber Security Centre (NCSC) have attributed the campaign to the Russian government, specifically a cyber espionage group linked to Russia’s General Staff Main Intelligence Directorate (GRU).
The threat actor has been tracked as APT28, Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team, and it has been known to target many organizations around the world.
According to the agencies, brute-force access attempts have been used against hundreds of organizations worldwide, particularly in the United States and Europe. Targeted organizations include government and military, political consultants and parties, defense contractors, energy firms, logistics companies, think tanks, universities, law firms and media companies.
“Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords. While the brute force technique is not new, the GTsSS uniquely leveraged software containers to easily scale its brute force attempts,” the agencies said.
The campaign, which appears to have started in mid-2019, has leveraged a Kubernetes clustered to conduct what has been described as “widespread, distributed and anonymized brute force access attempts.” While some of these attempts were served directly from nodes in this cluster, in most cases the attacks went through the Tor network and various commercial VPN services.
The brute force attacks have been combined with exploitation of known vulnerabilities, such as the Microsoft Exchange flaws that have been leveraged in many attacks over the past months.
The agencies said much of the brute force activity was aimed at organizations using Microsoft 365 cloud services, but the hackers also targeted other service providers, as well as on-premises email servers.
“APT28 conducts intelligence collection against these targets regularly as part of its remit as the cyber arm of a military intelligence agency,” John Hultquist, VP of analysis at Mandiant Threat Intelligence, said in an email. “The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns. Despite our best efforts we are very unlikely to ever stop Moscow from spying.”
“This is a good reminder that the GRU remains a looming threat, which is especially important given the upcoming Olympics, an event they may well attempt to disrupt,” Hultquist added.
The advisory released by the security agencies includes information on known TTPs, recommendations for detection and mitigations, IP addresses, user agents, and Yara rules associated with the attacks.
Nearly one year ago, Microsoft warned that APT28 had been harvesting Office365 credentials for tens of thousands of accounts at organizations in the US and UK.