WASHINGTON (AP) – US and UK authorities on Thursday announced details of “brute force” methods allegedly used by Russian intelligence agencies to attempt to get into the cloud services of hundreds of government agencies, energy companies and others invade other organizations.
A report published by the US National Security Agency describes attacks by employees of the Russian military intelligence service GRU, which were previously linked to major cyberattacks abroad and efforts to disrupt the US elections in 2016 and 2020.
In a statement, Rob Joyce, director of cybersecurity for the NSA, said the campaign was “likely going on on a global scale.”
Brute force attacks involve the automated spraying of websites with potential passwords until hackers gain access. The recommendation calls on companies to employ methods that have long been recommended by experts as sound cyber hygiene, including the use of multi-factor authentication and the provision of strong passwords.
The notice, issued during a devastating wave of ransomware attacks on governments and critical infrastructure, does not disclose any specific objectives of the campaign or its supposed purpose, just says that hackers targeted hundreds of organizations around the world.
According to the NSA, GRU-affiliates have been trying to break into networks using Kubernetes, an open source tool originally developed by Google for managing cloud services, from at least mid-2019 to early this year. While a “significant part” of the break-in attempts were aimed at organizations using Microsoft’s Office 365 cloud services, the hackers also pursued other cloud providers and e-mail servers, the NSA said.
The US has long accused Russia of using and tolerating cyberattacks for espionage, spreading disinformation, and disrupting governments and critical infrastructure. The Russian embassy in Washington did not immediately respond to a request for comment on Thursday.
Joe Slowik, a threat analyst with network surveillance firm Gigamon, said the activity described by the NSA on Thursday showed that the GRU had further refined an already popular network break-in technique. He said it appears to overlap with Department of Energy’s reporting of late 2019 and early 2020 brute force intrusion attempts targeting the US energy and government sectors, and the US government has apparently been aware of this for some time.
Slowik said the use of Kubernetes was “certainly a bit unique, although it doesn’t seem worrying on its own.” He said the brute force method and sideways movement within networks described by the NSA are common among government-sponsored hackers and ransomware criminal gangs, allowing the GRU to mingle with other actors.
John Hultquist, Vice President of Analysis at the cybersecurity firm Mandiant, described the activities described in the advisory as “routine debt collection against policy makers, diplomats, the military and the defense industry”.
“This is a good reminder that the GRU remains an impending threat, which is particularly important given the upcoming Olympics, an event they may be trying to disrupt,” Hultquist said in a statement.
The FBI and the Cybersecurity and Infrastructure Security Agency followed suit, as did the UK’s National Cyber ââSecurity Center.
The GRU has been linked repeatedly by US officials to a number of hacking incidents in recent years. In 2018, Special Counsel Robert Mueller’s office charged 12 military intelligence officers with hacking Democratic emails that were then released by WikiLeaks in an attempt to harm Hillary Clinton’s presidential campaign and promote Donald Trump’s offer.
Recently, last fall, the Justice Department announced charges against GRU officials for cyberattacks targeting a French presidential election, the South Korean Winter Olympics, and American companies.
Unlike Russia’s foreign intelligence agency SVR, which is blamed for the SolarWinds hacking campaign and is careful not to be detected during its cyber operations, the GRU has carried out the most damaging cyberattacks of all time, including two on the Ukrainian power grid and the 2017 NotPetya virus that caused more than $ 10 billion in damage worldwide.
GRU agents were also involved in spreading disinformation related to the coronavirus pandemic, US officials alleged. And a March American intelligence evaluation said the GRU tried to spy on people in US politics in 2019 and 2020, and launched a phishing campaign against subsidiaries of Ukrainian energy company Burisma, likely to be gathering information President Joe Biden harm whose son had previously served on the tablet.
The Biden government sanctioned in April Russia after it was linked to election interference and the violation of SolarWinds.
Bajak reported from Boston.