CISA
Critical infrastructure
Industries
News

US, UK security agencies expose malicious cyber activities by Russia’s military intelligence service

July 02, 2021
security agencies

Security agencies from the U.S. and the U.K. released on Thursday a cybersecurity advisory disclosing malicious cyber activities by Russian military intelligence against the U.S. and global organizations, starting from mid-2019 and are likely ongoing. 

The advisory from the U.S. security agencies identifies the tactics, techniques and procedures (TTPs) used in the campaign that has targeted both private and public sector networks, such as government and military, defense contractors, energy companies, higher education, logistics, law firms, media, political consultants or political parties and think tanks. Over the course of the attacks, the campaign has targeted hundreds of U.S. and foreign organizations worldwide, including U.S. government and Department of Defense (DoD) entities. 

The U.K.’s National Cyber Security Centre (NCSC), along with U.S. security agencies, including the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released the advisory as part of the NSA’s routine and continuing cybersecurity mission to warn network defenders of nation-statedep threats.

The joint advisory claims that the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide. GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and several other identifiers. 

The 85th GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing. The brute force capability allows the 85th GTsSS hackers to access protected data, including email, and identify valid account credentials. Such credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion. 

The hackers adopted a combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data. The cyber attackers used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM, and exploited different combinations of defense evasion TTPs in an attempt to disguise some components of their operations; however, many detection opportunities remain viable to identify the malicious activity.

While the overall targeting is global, the capability has predominantly focused on entities in the U.S. and Europe, according to the joint advisory. The hackers have used identified account credentials in conjunction with exploiting publicly known vulnerabilities for remote code execution and further access to target networks. After gaining remote access, several TTPs are combined to move laterally, evade defenses, and collect additional information within target networks.

In the advisory, the NCSC urged network defenders to follow mitigations outlined in the advisory and, in the first instance, ensure that multi-factor authentication (MFA) is rolled out across systems.

NSA encourages the DoD, National Security Systems (NSS), and Defense Industrial Base (DIB) system administrators to immediately review the indicators of compromise (IOCs) included in the advisory and to apply the recommended mitigations, with the most effective weapon being the use of MFA, which is not guessable during brute force access attempts. It also recommended appropriate network segmentation and restrictions to limit access and utilize additional attributes, and the adoption of automated tools to audit access logs for security concerns and identify anomalous access requests.

This is the second instance in as many months that the security agencies from the U.S. and U.K have come together to release a joint cybersecurity advisory. The May joint cybersecurity advisory was concerned with the SolarWinds supply chain attack, which was suspected to be carried out by Russian Foreign Intelligence Service (SVR) hackers. The advisory also identified further TTPs associated with these cyber hackers, and provided details on new TTPs that SVR cyber hackers appear to have leveraged, in addition to ones that the US agencies unearthed in the middle of April.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack