The US and British intelligence agencies have disclosed Russia’s hacking methods. They claim Russian General Staff Main Intelligence Directorate (GRU) attacked the cloud services of hundreds of government agencies, energy firms, and other organizations. US National Agency has released an advisory attributing the attack to the GRU.
National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Cyber Security Centre (NCSC) of the United Kingdom attribute the incursions to the GRU.
The GRU has previously been linked to large cyberattacks abroad and efforts to undermine the 2016 and 2020 American elections.
In a statement, NSA Cybersecurity Director Rob Joyce said the campaign was “likely ongoing, on a global scale.”
Russia’s Hacking Methods
Automated spraying of sites with potential passwords until hackers obtain access is known as a brute force assault. The warning encourages businesses to implement cyber hygiene measures such as multi-factor authentication and requiring strong passwords, which have long been recommended by experts.
The advice, which was issued during a devastating wave of ransomware assaults on governments and critical infrastructure, does not reveal the campaign’s precise targets or apparent objective. It only states that hackers have targeted hundreds of institutions throughout the world.
The threat actor is also tracked under numerous monikers, including APT28 (FireEye Mandiant), Fancy Bear (CrowdStrike), Sofacy (Kaspersky), STRONTIUM (Microsoft), and Iron Twilight (Secureworks).
APT28 has a track record of utilising password spray and brute-force login attempts to gain login credentials. Microsoft announced in November 2020 that the adversary had launched cyberattacks against companies working on COVID-19 vaccines and treatments. The actor’s reliance on software containers to scale its brute-force attacks is different this time.
Other security weaknesses exploited by APT28 to obtain access to internal email servers and pivot inside infiltrated organisations include:
- CVE-2020-0688 – Microsoft Exchange Validation Key Remote Code Execution Vulnerability
- CVE-2020-17144 – Microsoft Exchange Remote Code Execution Vulnerability
The threat actors are also reported to have used evasion strategies such as routing brute-force authentication attempts through Tor and commercial VPN providers such as CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN to hide some aspects of their operations.