FBI and NSA Warn of Russian Hackers Brute-Forcing Organizations Worldwide

By Riley ThompsonTechnology News

FBI and NSA Warn of Russian Hackers Brute-Forcing Organizations Worldwide

The FBI, NSA, the Cybersecurity and Infrastructure Security Agency (CISA) under the U.S. Department of Homeland Security, and the UK’s National Cyber Security Centre (NCSC) have issued a joint statement warning that the Russian government-backed hacking group APT28 (also known as Fancy Bear, Pawn Storm, Sednit, Strontium) is actively brute-forcing the resources of government and private organizations around the world.

Details of the Attacks

According to the statement, “From at least mid-2019 to early 2021, the 85th Main Special Service Center of the GRU, also known as Unit 26165, used a Kubernetes cluster to conduct large-scale, distributed, and anonymous brute-force attacks on hundreds of targets in both the public and private sectors.”

The 85th Main Special Service Center focused much of this activity on organizations using Microsoft Office 365 cloud services, but attacks also targeted other service providers and on-premises mail servers using a variety of protocols. “This activity almost certainly continues to this day,” the statement says.

If the brute-force attacks were successful, APT28 hackers used compromised accounts to move laterally within the networks of affected organizations. The agencies report that APT28 combined stolen credentials with various exploits for vulnerabilities in Microsoft Exchange, including the RCE issues CVE-2020-0688 and CVE-2020-17144, to gain access to internal mail servers.

Attack Methods

These attacks often went undetected because APT28 masked brute-force attempts using Tor or commercial VPN services such as CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN, as well as Kubernetes clusters. Brute-force attacks were typically carried out using various protocols, including HTTP(S), IMAP(S), POP3, and NTLM, so the attacks did not always follow the same channels.

The NSA notes that from November 2020 to March 2021, hackers conducted attacks without anonymization services, which allowed the following IP addresses to be identified:

  • 158.58.173[.]40
  • 185.141.63[.]47
  • 185.233.185[.]21
  • 188.214.30[.]76
  • 195.154.250[.]89
  • 93.115.28[.]161
  • 95.141.36[.]180
  • 77.83.247[.]81
  • 192.145.125[.]42
  • 193.29.187[.]60

Targets and Impact

APT28’s attacks reportedly targeted a wide range of cloud resources, including government agencies, think tanks, defense contractors, energy, logistics, and law firms, among others. Law enforcement agencies have not disclosed specific details about the victims.

Leave a Reply