On Thursday, security authorities in the United States and the United Kingdom issued an advice to warn businesses about a global campaign utilising brute force tactics.
The Russian government, specifically a cyber espionage cell associated to Russia’s General Staff Main Intelligence Directorate, has been blamed by the NSA, CISA, FBI, and the UK’s National Cyber Security Centre (NCSC) (GRU).
APT28, Fancy Bear, Pawn Storm, Sednit, Strontium, and Tsar Team have all been linked to the threat actor, which has been known to attack a variety of organisations around the world.
Hundreds of organisations around the world, mainly in the United States and Europe, have been subjected to brute-force entry attempts, according to the authorities. Government and military agencies, political advisers and parties, defence contractors, energy businesses, logistical companies, think tanks, universities, legal firms, and media companies are among the groups targeted.
“Malicious cyber actors utilise brute force techniques to discover legitimate credentials, which they do by making several login attempts, sometimes using previously obtained usernames and passwords or guessing with different versions of the most frequent passwords. While the brute force technique is not new, the GTsSS used software containers in a novel way to scale its brute force attempts, according to the authorities.
The attack, which appears to have begun in mid-2019, has used a Kubernetes cluster to undertake “widespread, dispersed, and anonymous brute force access attempts,” according to the description. While some of these attacks were sent directly from cluster nodes, the majority of them were delivered over the Tor network and other commercial VPN providers.
The brute force attacks were paired with the use of known vulnerabilities, such as the Microsoft Exchange weaknesses, which have been used in numerous attacks in recent months.
The hackers primarily targeted firms utilising Microsoft 365 cloud services, but they also targeted other service providers and on-premises email servers, according to the agencies.
In an email, John Hultquist, VP of analysis at Mandiant Threat Intelligence, said, “APT28 performs intelligence gathering against these targets on a regular basis as part of its remit as the cyber arm of a military intelligence agency.” “Routine collecting against policymakers, diplomats, the military, and the defence sector is the bread and butter of this group, and these kind of occurrences don’t always foreshadow operations like hacking and leak campaigns. Despite our best efforts, we will almost certainly never be able to prevent Moscow from spying.”
“This is an excellent reminder that the GRU is still a looming threat,” Hultquist noted, “which is especially significant considering the approaching Olympics, which they may well try to disrupt.”
The security agencies’ advice contains information on known TTPs, detection and mitigation recommendations, IP addresses, user agents, and Yara rules related with the attacks.
Microsoft warned about a year ago that APT28 was capturing Office365 credentials for tens of thousands of accounts at enterprises in the United States and the United Kingdom.