US and UK cybersecurity agencies said the Russia-linked APT28 group is behind a series of large-scale brute-force attacks.
US and UK cybersecurity agencies published a joint alert about a series of large-scale brute-force conducted by the Russia-linked APT28 group.
The joint alert was published by the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC).
The attacks took place between mid-2019 and early 2021, the Russia-linked threat actor used a Kubernetes cluster to conduct anonymized brute force access against hundreds of government organizations and businesses worldwide, including think tanks, defense contractors, energy firms.
The attackers remained under the radar by routing brute force attacks through the TOR network and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN. Authentication attempts that did not use TOR or a VPN service were also occasionally delivered directly to targets from nodes in the Kubernetes cluster
The government experts attribute the attacks to Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165.
““Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks.” reads the advisory published by the NSA.
The advisory provided details about the tactics, techniques, and procedures (TTPs) associated with GTsSS.
The APT group mainly targeted organizations using Microsoft Office 365 cloud services, along with targets using other service providers and on-premises email servers. Experts speculate the activity is still ongoing.
The attackers carried out brute force attacks to discover valid credentials, in some cases, they also used credentials leaked in past breaches or guessed with variations of the most common passwords. Expert pointed out that the GTsSS uniquely leveraged software containers to easily scale its brute force attempts.
Upon discovering valid credentials, the GTsSS exploited various publicly known vulnerabilities (Microsoft Exchange flaws CVE-2020-0688 and CVE-2020-17144) to gain further access into target networks. The nation-state actors were able to evade defenses, collect and exfiltrate various information in the networks.
“The actors used a combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data, as illustrated in the figure below.” reads the joint report. “The actors used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM. The actors also utilized different combinations of defense evasion TTPs in an attempt to disguise some components of their operations; however, many detection opportunities remain viable to identify the malicious activity.”
The report also includes indicators of compromise (IoCs) for the brute-force attacks conducted by the APT28 cyberespionage group. The document also provides Yare Rules and mitigations.
(SecurityAffairs – hacking, Russia)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
US and UK cybersecurity agencies said the Russia-linked APT28 group is behind a series of large-scale brute-force attacks.
US and UK cybersecurity agencies published a joint alert about a series of large-scale brute-force conducted by the Russia-linked APT28 group.
The joint alert was published by the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC).
The attacks took place between mid-2019 and early 2021, the Russia-linked threat actor used a Kubernetes cluster to conduct anonymized brute force access against hundreds of government organizations and businesses worldwide, including think tanks, defense contractors, energy firms.
The attackers remained under the radar by routing brute force attacks through the TOR network and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN. Authentication attempts that did not use TOR or a VPN service were also occasionally delivered directly to targets from nodes in the Kubernetes cluster
The government experts attribute the attacks to Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165.
““Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks.” reads the advisory published by the NSA.
The advisory provided details about the tactics, techniques, and procedures (TTPs) associated with GTsSS.
The APT group mainly targeted organizations using Microsoft Office 365 cloud services, along with targets using other service providers and on-premises email servers. Experts speculate the activity is still ongoing.
The attackers carried out brute force attacks to discover valid credentials, in some cases, they also used credentials leaked in past breaches or guessed with variations of the most common passwords. Expert pointed out that the GTsSS uniquely leveraged software containers to easily scale its brute force attempts.
Upon discovering valid credentials, the GTsSS exploited various publicly known vulnerabilities (Microsoft Exchange flaws CVE-2020-0688 and CVE-2020-17144) to gain further access into target networks. The nation-state actors were able to evade defenses, collect and exfiltrate various information in the networks.
“The actors used a combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data, as illustrated in the figure below.” reads the joint report. “The actors used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM. The actors also utilized different combinations of defense evasion TTPs in an attempt to disguise some components of their operations; however, many detection opportunities remain viable to identify the malicious activity.”
The report also includes indicators of compromise (IoCs) for the brute-force attacks conducted by the APT28 cyberespionage group. The document also provides Yare Rules and mitigations.
(SecurityAffairs – hacking, Russia)