Skip to content

FBI, NSA and partners warn of global Russian Brute Force cyber attack

  • by
  • 2 min read

The NSA, FBI, CISA and UK’s NCSC released a joint cybersecurity advisory on Thursday warning of possible cyberattacks by the Russian military intelligence on USA and global organisations. These stacks started in mid-2019 and are likely to be ongoing.

The advisory identifies the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, as the main force behind the attack. They’ve been active with other aliases as well, such as Fancy Bear, APT28 and Strontium. 

Common attack types, a list of IP addresses and a table of tactics, techniques and procedures are provided in the advisory, which aims to warn network users of a possible incoming attack and help them prepare defences better.

In the News: Millions paid, Petabytes of data leaked: June 2021 Cyberattacks roundup

Why the fear?

Brute Forcing a password is an age-old hacking technique where the attacker keeps trying possible combinations until they get the right password. GTsSSs found a way to leverage Kubernetes software containers to scale its brute force event.

The GTsSS had previously used these methods using Office 365 cloud services while also targeting other service providers and on-premises email servers using a bunch of different protocols. These efforts are still likely to be going. 

An illustration of how Kuberenetes or other clould services are used to scale brute force attempts.(via the advisory)

The targets include Government and military organisations, logistics companies, defence contractors, think tanks, energy companies, law firms, media companies, higher education institutes, political consultants and party organisations. This campaign has already targeted hundreds of organisations worldwide. 

As mentioned earlier, the advisory goes on to list identified IP addresses from previous attacks, user agents — along with their detection opportunities, a Yara rule that matched the reGeorg variant web shell previously used by the threat actors and some general mitigations. 

Shortly after the advisory was made public, Cloudflare rolled out WAF mitigations to protect its customers against a brute force cyberattack.

In the News: Ghost of Tsushima: Director’s Cut is coming to PS4 and PS5 on August 20

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>