A brute force password-hacking campaign led by Russian military intelligence tied to the group Fancy Bear has been targeting US and European organizations since mid-2019, said a joint advisory by the National Security Agency, the FBI, the Department of Homeland Security and the UK’s GCHQ on Thursday.
National security officials said the exploitation is almost certainly ongoing and is part of a broader effort by Russia’s GRU and 85th GTsSS to obtain information on a wide range of sensitive targets.
The attackers are using brute force techniques — in which repeated login attempts are used to uncover usernames, passwords and valid account credentials — to infiltrate the networks of government and private sector organizations including military defense contractors, energy and logistics companies, law firms, think tanks, media outlets and universities.
While the brute force tactic is nothing new, the Russian hackers uniquely leveraged Kubernetes software containers to scale the brute force attempts, the advisory said. The attackers also attempted to evade detection by routing the Kubernetes brute force attacks through TOR and commercial VPN services.
According to the advisory, GRU hackers are using compromised account credentials in conjunction with known software vulnerabilities, including exploits for Microsoft Exchange servers like CVE-2020-0688 and CVE-2020-17144, in order to gain access to internal servers. Once the attackers gain remote access, they’re combining a number of techniques to move laterally within the network and to access protected data, including email.
“NSA encourages Department of Defense (DoD), National Security Systems (NSS), and Defense Industrial Base (DIB) system administrators to immediately review the indicators of compromise (IOCs) included in the advisory and to apply the recommended mitigations,” the advisory said. “The most effective mitigation is the use of multi-factor authentication, which is not guessable during brute force access attempts.”