Connect with us

Hi, what are you looking for?



Russians Used Brute Force Attacks Against Hundreds of Orgs: Security Agencies

Security agencies in the United States and United Kingdom issued an advisory on Thursday to warn organizations about an ongoing global campaign involving brute force techniques.

Security agencies in the United States and United Kingdom issued an advisory on Thursday to warn organizations about an ongoing global campaign involving brute force techniques.

The NSA, CISA, FBI and the UK’s National Cyber Security Centre (NCSC) have attributed the campaign to the Russian government, specifically a cyber espionage group linked to Russia’s General Staff Main Intelligence Directorate (GRU).

The threat actor has been tracked as APT28, Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team, and it has been known to target many organizations around the world.

Russian hackers use brute force attacksAccording to the agencies, brute-force access attempts have been used against hundreds of organizations worldwide, particularly in the United States and Europe. Targeted organizations include government and military, political consultants and parties, defense contractors, energy firms, logistics companies, think tanks, universities, law firms and media companies.

“Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords. While the brute force technique is not new, the GTsSS uniquely leveraged software containers to easily scale its brute force attempts,” the agencies said.

The campaign, which appears to have started in mid-2019, has leveraged a Kubernetes clustered to conduct what has been described as “widespread, distributed and anonymized brute force access attempts.” While some of these attempts were served directly from nodes in this cluster, in most cases the attacks went through the Tor network and various commercial VPN services.

The brute force attacks have been combined with exploitation of known vulnerabilities, such as the Microsoft Exchange flaws that have been leveraged in many attacks over the past months.

The agencies said much of the brute force activity was aimed at organizations using Microsoft 365 cloud services, but the hackers also targeted other service providers, as well as on-premises email servers.

Advertisement. Scroll to continue reading.

“APT28 conducts intelligence collection against these targets regularly as part of its remit as the cyber arm of a military intelligence agency,” John Hultquist, VP of analysis at Mandiant Threat Intelligence, said in an email. “The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns. Despite our best efforts we are very unlikely to ever stop Moscow from spying.”

“This is a good reminder that the GRU remains a looming threat, which is especially important given the upcoming Olympics, an event they may well attempt to disrupt,” Hultquist added.

The advisory released by the security agencies includes information on known TTPs, recommendations for detection and mitigations, IP addresses, user agents, and Yara rules associated with the attacks.

Nearly one year ago, Microsoft warned that APT28 had been harvesting Office365 credentials for tens of thousands of accounts at organizations in the US and UK.

Related: US-UK Gov Warning: SolarWinds Attackers Add Open-Source PenTest Tool to Arsenal

Related: Russian Hackers Use New ‘SkinnyBoy’ Malware in Attacks on Military, Government Orgs

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.