Russian GRU Brute Force Campaign Revealed: US and UK intelligence services published a joint advisory on the Russian GRU’s ongoing brute force attack campaign that targeted cloud environments of both government agencies and critical private sector institutions. The attacks were carried out since mid-2019 through early 2021 by making use of a Kubernetes cluster for the brute force access attempts.
About the Attacker
Given the attacker’s TTPs (Tactics, Techniques and Procedures), Russian General Staff Main Intelligence Directorate (GRU) 85 the Main Special Service Center (GTsSS), military unit 26165 is considered to be behind the attacks. Fancy Bear, APT28, Strontium, and a variety of other identifiers are also used by different entities to refer to this threat actor uniquely.
Not to be confused with a similar Russian APT, i.e., APT29 (Cozy Bear), APT28 is associated with the Russian Military Intelligence while the APT29 is related to the Russian Foreign Intelligence Service. Both APT28 and APT29 are known to have conducted spear-phishing attacks successfully in the past as part of their TTPs.
What is the Purpose of the Attack?
The full extent of the goals of this malicious actor is not known yet. However, as a nation state attacker, the adversary can be potentially expected to gain unauthorized access on confidential and commercial data and exfiltrate these data for prolonged periods by trying to conceal its malicious activities.
Though not mentioned in the joint cyber security advisory on this attack, since APT28 is known to have conducted social engineering attacks successfully in the past as part of its TTPs, the exfiltrated data could be leveraged in the future for spear-phishing attacks.
Threat Actor Origin: Russia (GRU GTsSS/APT28)
– Not known to the full extent currently.
– Gain unauthorized access on confidential/private and commercial data.
– Gain more privileged access and extending footholds for data exfiltration for prolonged periods.
– Conduct further spear-phishing attacks leveraging the exfiltrated data.
Attacker’s TTPs (Tactics, Techniques and Procedures):
– Conduct large scale and distributed brute force attacks against cloud systems using a Kubernetes cluster.
– Use publicly known RCE vulnerabilities together with the compromised credentials.
– Use TOR and VPNs for anonymization.
– Evade detection by renaming malicious files with seemingly harmless extensions such as .wav, .mp4 or .aspx.
– Exfiltrate data by splitting files into chunks smaller than 1MB and using asymmetric encryption.
– Adopt MFA with strong factors.
– Enable time-out and lock-out features for the password authentication mechanism.
– Employ CAPTCHAs for slowing down automated brute force attempts against password authentication mechanisms.
– Deny all inbound activity from known anonymization services such as TOR and VPNs.
The U.S. intelligence agencies National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the U.K.’s National Cyber Security Centre (NCSC) jointly revealed that Russian hackers have been conducting a widespread, distributed, and anonymized brute force attacks that targeted mainly cloud environments of both government agencies and the private sector.
Specifically, the Russian General Staff Main Intelligence Directorate (GRU) 85 the Main Special Service Center (GTsSS), military unit 26165 is blamed for the brute force attack campaign. So far, government and military organizations, defense contractors, energy and logistic companies, think tanks, media companies, higher education institutions etc. were attacked both in the U.S and globally, according to the joint report on the campaign.
The attacks mostly targeted Microsoft Office 365 cloud services, in addition to other cloud service providers and on-premises email servers.
Through the brute force attacks, attackers can identify valid account credentials and initially gain unauthorized access to protected data. Attackers further use these compromised credentials together with publicly known vulnerabilities for privilege escalation. Credentials are especially needed by attackers to exploit Remote Code Execution (RCE) vulnerabilities that require pre-authentication or to establish an initial foothold to gain higher privileges on the targeted systems. Among many other publicly known vulnerabilities that could be leveraged potentially, the attackers have been especially identified to make use of two of the Microsoft Exchange RCE vulnerabilities (CVE-2020-0688, CVE-2020-17144).
Note that, CVE-2020-0688 is among the vulnerabilities that the Fire Eye’s stolen Red Teaming tools made use of. As can be remembered, US based cybersecurity firm Fire Eye was attacked by a state sponsored threat actor (Allegedly APT29/Cozy Bear) in December 2020. As a result of the attack, malicious actors had stolen some of the Red Team assessment tools that the company used to test their customers’ security.
Attacker’s TTPs (Tactics, Techniques and Procedures)
The attacker is known to gain remote access on the targeted cloud systems and use many well-known tactics, techniques and procedures (TTPs) to gain elevated privileges, move laterally, evade defenses and exfiltrate private/confidential data.
For the initial access, attackers use a Kubernetes cluster to conduct distributed and large scale brute force attacks. Specifically, password spraying or password guessing are used by the attackers as brute force attack methods.
Attackers are also known to use these compromised credentials together with a variety of publicly known vulnerabilities for conducting privileged RCE attacks, as such attacks require pre-authentication on the targeted systems. Microsoft Exchange Server RCE vulnerabilities CVE-2020-0688, and CVE-2020-17144 are frequently used by the attackers for this purpose. However, other publicly known vulnerabilities (including the CVEs revealed previously through hacking of the cyber security firm Fire Eye) could also be leveraged.
To disguise the threat origin, threat actors make use of anonymization services such as TOR and VPNs.
For collecting data, the attackers search thorough local file systems, network shares and other data repositories. The collected data is usually stored at an OWA server for exfiltration.
To evade detection, attackers were observed to have renamed malicious files with seemingly harmless extensions such as .wav, .mp4 or .aspx.
For exfiltration, the actors usually split archived files into chunks smaller than 1MB and used asymmetric encryption for concealing the content of the data transferred.
For more details on the attacker’s TTPs, please refer to the joint cyber security advisory on the attack.
To defend against TTPS of this attacker that employ brute force cracking of credentials, the following counter measures can be implemented (as advised by the joint cyber security report):
- Adopt a multi-factor authentication (MFA) mechanism with strong factors, i.e., not easily guessable. The authentication factors that could be used in addition to the “Something you know” factor include: “Something you have“, “Something you are (biometrics)“, “Something you do (behavioral biometrics)“, “Somewhere you are”.
- Enable time-out and lock-out features for the password authentication mechanism, so that attacks could be rendered infeasible due to slowing down brute force attempts.
- Employ CAPTCHAs for slowing down automated brute force attempts against password authentication mechanisms.
- Discourage use of poor password choices by users via checking password choices with automated tools at the time of password set or change.
- Disable use of default credentials.
- Use authentication mechanisms that employ strong encryption protocols.
- Block IP addresses associated with the attack (listed in the advisory).
- Deny all inbound activity from known anonymization services such as TOR and VPNs.
- Audit access logs with automated tools and use IDS/IPS for detecting malicious attack attempts.
- Employ Zero Trust security model and network segmentation to restrict access to more privileged resources when compromises occur.
- Train users/employees against social engineering attacks (including spear-phishing attack).
History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It’s always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you’ll be glad you did.Bruce Schneier
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
- Joint Cyber Security Advisory on Russian GRU’s Global Brute Force Campaign
- State Sponsored Attackers Targeted Fire Eye
- NVD CVE-2020-0688
- NVD CVE-2020-17144
You could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?