U.S., U.K. intel: Russian military hacking attempts "certainly still ongoing"
United States and United Kingdom intelligence agencies said in a report Thursday that Russian military hackers over the last three years have tried to access the computer networks of "hundreds of government and private sector targets worldwide" and warned that those "efforts are almost certainly still ongoing."
Why it matters: The security agencies cautioned that the military cyber unit, best known for hacking the Democratic National Committee and other political targets during the 2016 election, is still focusing on political consultants, political parties and think tanks, though they did not specify any targets by name.
- The report is a joint advisory to network defenders published by the U.S. National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), and the U.K.’s National Cyber Security Centre (NCSC).
How it works: The agencies said hackers working for Russia’s General Staff Main Intelligence Directorate 85th Main Special Service Center (GTsSS) first attempts to gain login credentials to governmental or private-sector networks by conducting "widespread, distributed, and anonymized brute force access attempts" using Kubernetes.
- The hackers can then use the valid credentials it obtains to expand their access to the targeted network, evade detection and defenses and ultimately access and exfiltrate protected data, including information from emails.
- While brute-force password guessing campaigns are not new, the NSA said the "GTsSS uniquely leveraged software containers to easily scale its brute force attempts."
What they're saying: "The advisory warns system administrators that exploitation is almost certainly ongoing," the NSA said. "Targets have been global, but primarily focused on the United States and Europe."
- "Targets include government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks."
The big picture: The report comes on the heels of a summit between President Biden and Russian President Vladimir Putin, during which Biden threatened to use the U.S.' "significant" cyber capabilities to respond if critical infrastructure entities are targeted by Russian hackers.
- Putin, though, claimed in a press conference after the meeting that most cyberattacks currently taking place were being carried out from the U.S.
- The hacking unit, also known as Fancy Bear, APT28 or Strontium, has attempted to breach the networks of global sports and anti-doping groups, conservative groups, the U.S. Senate and multiple European think tanks and the emails of top Orthodox Christian clergy.
- Other Russia-based hacking groups were behind the massive SolarWinds breach discovered in December 2020 and, more recently, the targeting of U.S. foreign aid agencies, think tanks, consultants and NGOs.
What's next: The agencies advised system administrators for government and private entities to counter future breaches by using multi-factor authentication, enforcing the use of strong passwords and implementing time-out and lock-out features for accounts after multiple failed password attempts.
- They also recommended that the entities deny all inbound activity from virtual private network and other anonymization services.