The United Kingdom and the United States’ cyber and law enforcement entities like the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the National Cyber Security Centre (NCSC) have released a Cybersecurity Advisory to warn about malicious cyber activities perpetrated by Russian military intelligence against the U.S. and global organisations.
According to the Cybersecurity Advisory released by the agencies, GRU, the premier Russian military intelligence, has been attacking organisations globally at least since mid-2019. The GRU’s 85th Main Special Service Center (GTsSS) has been leading the campaign, targeting hundreds of U.S. and foreign organisations using brute force attacks to penetrate government and private sector victim networks. The advisory also revealed tactics, techniques, and procedures used in these attacks.
The advisory warned about ongoing attacks and exploitations targeting organisations in multiple sectors. The targeted entities include government and military agencies, defense contractors, energy companies, organisations offering higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks.
Malicious threat actors associated with the GRU begin their campaigns with brute-force attacks aimed at penetrating government and private sector victim networks. These attacks enable them to access valid credentials for enterprise accounts, using which they infiltrate networks, move laterally within networks, and collect and exfiltrate data.
“Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords. While the brute force technique is not new, the GTsSS uniquely leveraged software containers to easily scale its brute force attempts,” the agencies noted.
After gaining access to valid credentials, the threat actors combine them with various publicly known vulnerabilities to gain further access into victim networks. They also use various techniques to evade detection and exfiltrate sensitive data into their own servers.
NSA advised that the Department of Defense (DoD), National Security Systems (NSS), and Defense Industrial Base (DIB) system administrators should immediately review the indicators of compromise (IOCs) included in the advisory and apply the same. According to the NSA, the most effective way to mitigate the threat is by introducing multi-factor authentication that offers robust security against brute-force attacks.
The agencies have also advised organisations to adopt a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses. Alongside MFA, organisations should also enable time-out and lock-out features whenever password authentication is needed. This will ensure that accounts are locked out after multiple failed login attempts and the time difference between successive login attempts increase with each failed attempt.
Commenting on the advisory released by the agencies, Tom Jermoluk, CEO of Beyond Identity, told Teiss that Russian GRU agents and other state actors like those involved in SolarWinds – and a range of financially motivated attackers (e.g., ransomware) – all use the same “password spraying” brute force techniques. Why? Because they are so effective. Unfortunately, a misunderstanding of this technique is leading to shockingly flawed advice like the that given in the NSA advisory which, in part, recommends “mandating the use of stronger passwords”.
“The credential-gathering that preceded the password spraying campaign most certainly collected short and strong passwords. And the Russian Kubernetes cluster used in the attack was capable of spraying “strong passwords.” The government went on to recommended a “Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses”. This sage advice requires a move to strong, continuous authentication. It also requires organizations to eliminate passwords because they are so completely compromised that you simply cannot achieve Zero Trust with them,” he added.