The National Security Agency, the FBI and other agencies are tracking an ongoing Russian cyberespionage campaign in which attackers are using brute-force methods to access Microsoft Office 365 and other cloud-based services, according to an alert published Thursday. The campaign, which started in 2019, has targeted "hundreds" of businesses, government agencies and organizations worldwide, mainly in the U.S. and Europe, the NSA reports. The victims include several U.S. Department of Defense units, although the NSA does not say if any of the attacks on these organizations were successful.
The NSA, the FBI and the Cybersecurity and Infrastructure Security Agency, along with the U.K. National Cyber Security Center, have linked the series of brute-force attacks to an elite unit within Russia's Main Intelligence Directorate, commonly referred to as the GRU, which serves as the military intelligence division of Russia's armed forces. This unit is designated as Russia's 85th Main Special Service Center, or GTsSS, which is also known as Military Unit 26165. Some security firms refer to this organization as APT28 or Fancy Bear, although Microsoft calls the attackers Strontium. The military unit has been linked to several high-profile attacks against U.S. and EU organizations, and several of its members have been indicted by the U.S. Department of Justice for previous incidents.
"The 85th GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing," according to the recent NSA alert. The latest cyberespionage activity shows that despite U.S. efforts to crack down on Russian hacking efforts, campaigns continue, says John Hultquist, vice president of analysis at Mandiant Threat Intelligence. "The bread and butter of this group is routine collection of data on policymakers, diplomats the military and the defense industry, and these sorts of incidents don’t necessarily presage operations like hack-and-leak campaigns," Hultquist stated.
On 02 July 2021, Russia's embassy in Washington issued a statement on Facebook denying the U.S. allegations, noting: "We emphasize that fighting against cybercrime is an inherent priority for Russia and an integral part of its state policy to combat all forms of crime."
The NSA alert notes that the Russian-linked campaign uses a variety of techniques to target potential victims. For example, the attackers are using a Kubernetes, an open source container orchestration tool, to conduct the brute-force attacks and route the malicious network traffic through a series of anonymous Tor networks and commercial VPN services to hide its origins, according to the alert.
"The Kubernetes cluster normally routes brute-force authentication attempts through Tor and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark and WorldVPN," the alert notes. "Authentication attempts that did not use Tor or a VPN service were also occasionally delivered directly to targets from nodes in the Kubernetes cluster."
The attackers are using brute-force and other password-spraying techniques in combination with the Kubernetes cluster to gain initial access to email servers both cloud-based as well as some on-premises systems and to identify other valid account credentials within a targeted organization, the alert notes. The Russian attackers then use the stolen credentials to gain initial access, maintain persistence within networks, gain additional privileges and avoid detection.
The attackers also took advantage of two vulnerabilities in unpatched Microsoft Exchange servers CVE 2020-0688 and CVE 2020-17144 to conduct remote code execution and gain access to other networks, the alert notes. Several security firms have been warning about the CVE 2020-0688 vulnerability in unpatched systems since 2020.
Once the attackers gain initial access to a network, they use a variety of methods and tools to access files, steal data and move laterally, the alert states. These include attempting to target an organization's Active Directory database to gather more credentials and deploying "living off the land" techniques to connect to outside command-and-control servers and transfer files, as well as compromising Outlook Web Access servers. "After gaining remote access, many well-known tactics, techniques and procedures are combined to move laterally, evade defenses and collect additional information within target networks," according to the NSA.
The NSA and other government agencies are urging organizations to deploy risk mitigation techniques, including adopting multifactor authentication and strong passwords and limiting access to certain parts of a network. The agencies also recommend adopting zero trust architecture to reduce the possibility of an attack as well as denying inbound traffic that originates in a Tor network or a commercial VPN service that is not approved by the security team.
APT28's most recent campaigns have focused on Europe, in April 2021, Sweden accused the Russian military unit of conducting a series of campaigns against the Swedish Sports Confederation that were detected in 2017 and 2018. Finland and Norway have alleged that the Russian group targeted lawmakers' emails and data.
Microsoft issued a warning in September 2020 that members of the Russian military unit were attempting to harvest Office 365 credentials in the ramp up to U.S. elections.
In April 2021, the Biden administration issued sanctions against the Russian Foreign Intelligence Service, or SVR, over the SolarWinds supply chain attack and election interference.
At Red Sky Alliance, we can help cyber threat teams with services beginning with cyber threat notification services, and analysis.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings