A persistent brute-force attack campaign, believed to be orchestrated by Russian military intelligence, has targeted enterprise cloud environments since mid-2019. This information is detailed in a joint advisory released by intelligence agencies in both the United States and the United Kingdom.
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the U.K.’s National Cyber Security Centre (NCSC) have officially linked these cyber incursions to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
The actor behind this campaign is known by multiple aliases, such as APT28 (identified by FireEye Mandiant), Fancy Bear (from CrowdStrike), Sofacy (by Kaspersky), STRONTIUM (Microsoft), and Iron Twilight (Secureworks). This sophisticated adversary is recognized for utilizing password spray and brute-force login techniques to acquire valid credentials, facilitating future surveillance or unauthorized access.
Notably, in November 2020, Microsoft reported on credential harvesting operations by this actor, which primarily targeted organizations engaged in research for COVID-19 vaccines and treatments.
The current campaign stands out due to its employment of software containers that enhance the scaling of brute-force attacks. CISA has indicated that a Kubernetes cluster is used to execute these access attempts against both government and private enterprise cloud environments globally. Once credentials are obtained, the GTsSS employs various known vulnerabilities for additional network access, leveraging remote code execution to navigate internal networks.
Among the vulnerabilities exploited by APT28 to infiltrate breached organizations and access internal email servers are CVE-2020-0688 and CVE-2020-17144, both of which pertain to Microsoft Exchange Server’s remote code execution flaws.
The adversary has also deployed several evasion strategies to obscure components of their operations. These tactics include routing brute-force authentication attempts through Tor and various commercial VPN services such as CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.
The agencies emphasize that these attacks predominantly focus on targets within the United States and Europe, including government, military, defense contractors, energy firms, higher education institutions, logistics companies, law firms, media organizations, political consultants, and think tanks.
In response to this ongoing threat landscape, cybersecurity officials advocate for the implementation and expansion of multi-factor authentication to thwart the effectiveness of such brute-force campaigns. Additional risk mitigation measures include enforcing strict access controls, incorporating time-out and lock-out functionalities, mandating strong passwords, and adopting a Zero Trust security model that incorporates various attributes to evaluate access requests, along with employing analytics to identify anomalous activities.
