The GRU, Russia’s military intelligence division, has been conducting “brute force” cyberattacks against “hundreds” of government and private sector targets around the world since mid-2019, according to US and UK security agencies.
The campaign is “likely ongoing” and its targets include organisations in sectors including defence, energy, higher education, logistics, law, media and think tanks.
In successful attacks the GRU’s objective is to harvest sensitive data, the FBI, National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cybersecurity Centre (NCSC) said in its joint advisory.
Brute force techniques involve an attacker submitting a high volume of passwords and usernames in the hope that one will be successful. Such attacks often use passwords exposed in previous breaches because of the high likelihood that some passwords have been reused for other accounts.
After discovering valid credentials, GRU operatives “combined them with various publicly known vulnerabilities”, including the Microsoft Exchange flaws, to “gain further access into victim networks”.
“Once the account is compromised, there is no easy way to differentiate between the legitimate activities of a user and potentially legitimate, but malicious attempts to access data,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre.
The hacking campaign targeted organisations using Microsoft Office 354 cloud services, along with other service providers and on-premises email servers.
The GRU used a Kubernetes cluster – a set of nodes to run containerised applications – to conduct it at a larger scale.
It also used commercial VPN services and the Tor network in an attempt to cover its tracks.
While the GRU’s targets were global, its primary focus was on organisations in the US and Europe according to the security agencies.
The GRU, officially now known as the Russian General Staff Main Intelligence Directorate, controls the military intelligence service and is under the direct control of the Russian military. It was created in its current form by Joseph Stalin in 1942 and was used to conduct spying operations during the Cold War.
The advisory identifies the GRU’s 85th Main Special Service Center (GTsSS), military unit 26165 as the group behind the hacking campaign. It is also known as Fancy Bear, APT28, Strontium among information security researchers.
“The bread and butter of this group is routine collection against policymakers, diplomats, the military, and the defence industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns,” said John Hultquist, VP of analysis at Mandiant Threat Intelligence.
Brute force campaign latest hack from Russia
The security agencies advised organisations to implement multi-factor authentication and use strong passwords that are harder for brute force attacks to crack.
They also encouraged the use of network segmentation, automated auditing tools and common password checkers, among other measures.
The brute force campaign follows a flurry of Russia-linked cyberattacks, including the supply chain attack against IT vendor SolarWinds that saw roughly 18,000 other entities download a malicious update.
Criminal hacking groups believed to be operating out of Russia have also been linked to the ransomware attacks against Colonial Pipeline and meat processor JBS. While these were profit-driven hacks, as opposed to state espionage, security experts say there is sometimes overlap in Russia’s cyber activity.
The disruption caused by these attacks resulted in US President Joe Biden confronting Russian President Vladimir Putin about cybersecurity at a summit in Geneva last month.
“Unfortunately, espionage campaigns from Russia shall not be going away any time soon,” said Natalie Page, threat intelligence analyst at Talion. “This is a country whose government and intelligence services have no shame in their spying efforts and have been attributed to some of the most significant attacks we have seen across the landscape.”
Hultquist added: “Despite our best efforts we are very unlikely to ever stop Moscow from spying.”