Security agencies from the U.S. and the U.K. released on Thursday a cybersecurity advisory disclosing malicious cyber activities by Russian military intelligence against the U.S. and global organizations, starting from mid-2019 and are likely ongoing.
The advisory from the U.S. security agencies identifies the tactics, techniques and procedures (TTPs) used in the campaign that has targeted both private and public sector networks, such as government and military, defense contractors, energy companies, higher education, logistics, law firms, media, political consultants or political parties and think tanks. Over the course of the attacks, the campaign has targeted hundreds of U.S. and foreign organizations worldwide, including U.S. government and Department of Defense (DoD) entities.
The U.K.’s National Cyber Security Centre (NCSC), along with U.S. security agencies, including the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released the advisory as part of the NSA’s routine and continuing cybersecurity mission to warn network defenders of nation-statedep threats.
The joint advisory claims that the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide. GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and several other identifiers.
The 85th GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing. The brute force capability allows the 85th GTsSS hackers to access protected data, including email, and identify valid account credentials. Such credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.
The hackers adopted a combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data. The cyber attackers used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM, and exploited different combinations of defense evasion TTPs in an attempt to disguise some components of their operations; however, many detection opportunities remain viable to identify the malicious activity.
While the overall targeting is global, the capability has predominantly focused on entities in the U.S. and Europe, according to the joint advisory. The hackers have used identified account credentials in conjunction with exploiting publicly known vulnerabilities for remote code execution and further access to target networks. After gaining remote access, several TTPs are combined to move laterally, evade defenses, and collect additional information within target networks.
In the advisory, the NCSC urged network defenders to follow mitigations outlined in the advisory and, in the first instance, ensure that multi-factor authentication (MFA) is rolled out across systems.
NSA encourages the DoD, National Security Systems (NSS), and Defense Industrial Base (DIB) system administrators to immediately review the indicators of compromise (IOCs) included in the advisory and to apply the recommended mitigations, with the most effective weapon being the use of MFA, which is not guessable during brute force access attempts. It also recommended appropriate network segmentation and restrictions to limit access and utilize additional attributes, and the adoption of automated tools to audit access logs for security concerns and identify anomalous access requests.
This is the second instance in as many months that the security agencies from the U.S. and U.K have come together to release a joint cybersecurity advisory. The May joint cybersecurity advisory was concerned with the SolarWinds supply chain attack, which was suspected to be carried out by Russian Foreign Intelligence Service (SVR) hackers. The advisory also identified further TTPs associated with these cyber hackers, and provided details on new TTPs that SVR cyber hackers appear to have leveraged, in addition to ones that the US agencies unearthed in the middle of April.