Recently, top US security agencies warn about the wave of brute-force cyberattacks by the Russian military intelligence agency named GRU. The security agencies, including NSA (National Security Agency) and CISA (Cybersecurity and Infrastructure Security Agency), have issued a joint advisory. The GRU (the Russian General Staff Main Intelligence Directorate) has been carrying out brute-force cyberattacks since 2019. As a military intelligence division of Russia, it targets the government and private sectors of the United States and globally.
LIFARS offers Gap Assessment Solution. It provides you with an actionable roadmap. Essentially, it helps you reach the target maturity level, including structure, strategy, governance, and operations management plan.
The ongoing campaign has targeted hundreds of organizations worldwide. Nevertheless, it has a predominant focus on the US and European entities. The different types of entities or organizations have fallen prey to it by the nation-state hacking team utilizing malicious tactics, techniques, and procedures (TTPs). It targets government organizations, defense contractors, higher education institutions, law firms, energy companies, and logistics companies. Besides that, the campaign has also targeted political consultants, party organizations, and media companies.
What Are Brute-Force Cyberattacks Techniques?
Brute-force techniques are straightforward methods to pave the way into the networks. In brute-force cyberattacks strategy, an attacker attempts to trespass on the network by submitting a high volume of login information. It may include email and other valid account credentials. A cybercriminal exploits this method with the hope that one will get him successful. In other words, a cyber-threat actor leverages trial and error attempts to crack login credentials.
According to the advisory, the adversary can potentially access protected data when the attack proves successful. The data includes the credentials that help the cyber threat actors to move laterally within the targeted entity. For example, the credentials can be used for initial access, privilege escalation, persistence, and defense evasion.
Meanwhile, Tim Mackey is the principal security strategist at the Synopsys Cybersecurity Research Centre. He argues that it is impossible to distinguish between a legitimate and illegitimate user accessing data when the account gets compromised.
An Overview of GRU
Under the immediate control of the Russian military, the GRU runs the military intelligence service. In 1942, Joseph Stalin had formed it in its current form. It used to carry out spying operations during the cold war.
According to the advisory, the group that runs the ongoing hacking campaign is 85th GTsSS (Main Special Service Center), military unit 26165. It engages in old-fashioned brute-force hacking to obtain credentials from its targets. However, they carry out brute-force cyberattacks at a modern scale by employing Kubernetes software containers.
They make use of both password-guessing methods and leaked credentials to withdraw the credentials viciously. Subsequently, they move laterally within the network to steal information. Simultaneously, the Kubernetes cluster of containers helps attackers target organizations on Microsoft Office 365 cloud services and other service providers.
Recommended Measures by the Joint Advisory
The security agencies have advised various measures to escape the targeted brute-force cyberattacks by the GRU. It includes the implementation of multi-factor authentication and creating strong passwords. Moreover, the advisory also urged to leverage network segmentation, time-out features, lock-out features, zero-trust practices, and automated auditing tools.
Likewise, organizations can deny all incoming activity from recognized anonymization services. It may involve commercial VPNs (virtual private networks) and TOR (The Onion Router), where such access is not for typical use. Apart from this, the way forward is to employ proactive security services to remain one step ahead of currently used malicious, brute-force cyberattacks.