Russia-sponsored cyber crews have been carrying out brute force hacking campaigns trying to steal user account credentials of hundreds of government and private sector organizations worldwide, the top security agencies in the U.S. and U.K. warned in a newly released joint advisory.
In brute force attacks, hackers use a barrage of trial-and-error attempts to guess login info or other means of network entry to “force” their way into accounts.
The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.K.’s National Cyber Security Centre said the operation backed by the Russian General Staff Main Intelligence Directorate (GRU) has continued for at least the last two years. Most of the attacks have targeted U.S. organizations, the alert said.
“Since at least mid-2019 through early 2021, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165 used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts,” the agencies said. Targets include the following:
- Government and military organizations
- Political consultants and party organizations
- Defense contractors
- Energy companies
- Logistics companies
- Think tanks
- Higher education institutions
- Law firms
- Media companies
Brute force capabilities enables GTsSS cyber gangs to access protected data, including email, and identify valid account credentials. Those credentials can be used for initial access, allow the attackers to remain undetected in the network, escalate privileges and skirt cyber defenses. Bad actors typically use a variety of well-known tactics, techniques, and procedures (TTPs) to collect additional information within target networks and this group is no exception, the advisory said.
The alert offers a timely reminder for MSPs and MSSPs to offer cybersecurity awareness training services to increase their knowledge of brute force campaigns. It comes amid escalating cyber attacks on U.S. critical infrastructure, including the SolarWinds Orion attack, the Colonial Pipeline ransomware hijack and a similar incident on meat provider JBS USA, all linked by U.S. security authorities to Russian-backed operatives or Russian speaking outfits.
In a recent incident -- the July 2, 2021, attack on software management provider Kaseya -- President Biden said that the “initial thinking” is that the Russian government is not behind the infiltration “but we’re not sure yet,” The Hill reported. Also, the attack involved previously unknown vulnerabilities in Kaseya's VSA software. A brute force angle has not been mentioned as of this writing.
Meanwhile, managed detection and response (MDR) security provider Huntress Labs told MSSP Alert that it believed that REvil and Sodinokibi, the Russia-linked group blamed for the recent attack on meat producer JBS USA, is also responsible for the Kaseya offensive. Biden said that he’s already warned Russian President Vladimir Putin to expect a U.S. response if Moscow is shown to be responsible for the aggression, which is said to involve 50 to 60 Kaseya customers.
Law enforcement and security agencies and the private sector have issued a number of alerts on Russian hacking, the most prominent of which have been those related to election meddling, but have now turned to ransomware, phishing and other malware intrusions. Most recently, an FBI and CISA bulletin was intended to forewarn and forearm U.S. IT companies, government entities, researchers and policy makers on the primary tactics Russian-backed hacking crews are using to steal critical intelligence. The dispatch offered up actionable material on the Russian Foreign Intelligence Service’s (SVR) cyber tools, targets, techniques, and capabilities to help organizations secure their networks.
In May 2021, Microsoft’s security team said that the Russian-backed Nobelium hackers, the same syndicate behind the SolarWinds Orion attack, have launched a malware blitz not only on federal government agencies but also researchers, consultants and non-government organizations. The infiltration has hit some 3,000 email accounts in more than 150 different organizations. President Biden imposed economic sanctions on Russia following the SolarWinds hack and Moscow’s attempts to influence U.S. elections. With word that the same group is newly engaged in Moscow’s continued cyber espionage operations, some Democratic lawmakers are calling for the Biden administration to squeeze harder.
The U.S. and U.K. security agencies recommend the following measures to ensure strong access control:
- Use multi-factor authentication. Strong authentication factors are not guessable, so they would not be guessed during brute force attempts.
- Enable time-out and lock-out features whenever password authentication is needed. Time-out features should increase in duration with additional failed login attempts. Lock-out features should temporarily disable accounts after many consecutive failed attempts.
- Some services can check passwords against common password dictionaries, denying many poor password choices and making brute-force password guessing far more difficult.
- For protocols that support human interaction, use captchas to hinder automated access attempts.
- Change all default credentials and disable protocols that use weak authentication or do not support multi-factor authentication. Configure access controls on cloud resources to ensure that only well maintained and well-authenticated accounts have access.
- Employ appropriate network segmentation and restrictions to limit access and utilize additional attributes when making access decisions to attain a Zero Trust security model.
- Use automated tools to audit access logs for security concerns and identify anomalous access requests.
