The NSA, FBI, CISA and UK’s NCSC released a joint cybersecurity advisory on Thursday warning of possible cyberattacks by the Russian military intelligence on USA and global organisations. These stacks started in mid-2019 and are likely to be ongoing.
The advisory identifies the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, as the main force behind the attack. They’ve been active with other aliases as well, such as Fancy Bear, APT28 and Strontium.
Common attack types, a list of IP addresses and a table of tactics, techniques and procedures are provided in the advisory, which aims to warn network users of a possible incoming attack and help them prepare defences better.
Why the fear?
Brute Forcing a password is an age-old hacking technique where the attacker keeps trying possible combinations until they get the right password. GTsSSs found a way to leverage Kubernetes software containers to scale its brute force event.
The GTsSS had previously used these methods using Office 365 cloud services while also targeting other service providers and on-premises email servers using a bunch of different protocols. These efforts are still likely to be going.
The targets include Government and military organisations, logistics companies, defence contractors, think tanks, energy companies, law firms, media companies, higher education institutes, political consultants and party organisations. This campaign has already targeted hundreds of organisations worldwide.
As mentioned earlier, the advisory goes on to list identified IP addresses from previous attacks, user agents — along with their detection opportunities, a Yara rule that matched the reGeorg variant web shell previously used by the threat actors and some general mitigations.
Shortly after the advisory was made public, Cloudflare rolled out WAF mitigations to protect its customers against a brute force cyberattack.