Hackers from Russia’s military intelligence agency, the GRU, are engaged in a global campaign to target “hundreds” of predominantly American and European entities, including government and military organizations, energy companies, think tanks and media companies, according to a new joint cybersecurity advisory issued by U.S. and U.K. national security agencies Thursday.
The campaign began in mid-2019 and is “almost certainly” ongoing, the advisory warned, noting hackers are using an amplified and anonymized version of what are known as “brute force” access attempts – trying to log in to target networks by repeatedly guessing passwords – against a broad range of government and private organizations around the world.
The advisory did not identify any specific victims or indicate how much or what kind of data may have been exfiltrated. It urged organizations to “adopt and expand” protective and mitigation techniques including multi-factor authentication, lock-out features and mandatory use of strong passwords.
It said the types of targeted organizations included government and military organizations, political consultants and parties, defense contractors, energy companies, higher education institutions, logistics companies, law firms, media companies and think tanks.
“This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” said Rob Joyce, the NSA’s Director of Cybersecurity. “Net defenders should use multi-factor authentication and the additional mitigations in the advisory to counter this activity.”
An NSA spokesperson said this GRU-led campaign was separate from thesupply chain attack, which was attributed to a separate Russian intelligence service known as the SVR. It is also differs from other recent, notable ransomware attacks on Colonial Pipeline or , which were targeted by two distinct criminal ransomware groups known to have links to Russia.
The GRU hackers, operating as part of the elite military unit 26165 – which was also behind the hack of the Democratic National Committee as part of Moscow’s sprawling 2016 election interference campaign – principally targeted Microsoft Office 365 cloud services, but also targeted and other email servers and service providers in their attempts.
While the “brute force” technique is not new or particularly sophisticated, the GRU “uniquely leveraged” software containers to scale its effort, the advisory said. It was released by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC).
The hackers drew in part on an open-source platform called Kubernetes to augment and anonymize their password spray activity, which also sometimes used Virtual Private Networks (VPNs) and The Onion Router (TOR). According to the advisory, once the hackers correctly identified given login credentials, they were combined with known software vulnerabilities to allow hackers to burrow deeper into victim networks, where they could access and remove data.
The advisory is one of several recent disclosures made by government agencies in an attempt to help potential victim organizations protect themselves against nation-state attackers. It is also the latest in a series of cyber incursions attributed to Russia.
“The GRU appears to pursue a traditional intelligence collection campaign here by targeting organizations of strategic interest to the Russian Federation, such as energy companies, political parties, think tanks and government,” said Dmitri Alperovitch, former chief technology officer at cybersecurity company Crowdstrike and current executive chairman at Silverado Policy Accelerator. “The danger, however, is that this campaign can easily turn from traditional espionage into a ‘hack and leak’ or destructive action as we have seen from past GRU attacks.”
Last May, the NSAthat Russian hackers from the so-called “Sandworm team” of the GRU were exploiting a vulnerability in Exim Mail Transfer Agent, a type of popular email software.
In June, after a summit with Russian President Vladimir Putin, President Biden said that the U.S. and Moscow would begin “consultations” on a range of cyber-related issues. The Biden administration has not offered specifics on the timing or focus of potential talks.
Joycethe NSA was unlikely to take part directly in any consultations with Moscow, but that it would “absolutely” use the agency’s threat reporting to inform policymakers leading the negotiations.