A joint alert from the U.S. and U.K. warns that Fancy Bear, a hacking group tied to Russia’s Main Intelligence Directorate (GRU), has been conducting a stealthy two-year espionage campaign that targets global enterprise and cloud environments with brute-force attacks.
According to the alert – issued by the U.S. National Security Agency, Cybersecurity and Infrastructure Security Agency and FBI, as well as Britain’s National Cyber Security Centre – the campaign dates back to at least the middle of 2019 and has targeted hundreds of U.S. and foreign organizations across the world, with a particular focus on the United States and Europe.
“Targets include government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks,” the NSA said in an announcement.
An accompanying technical advisory provides further detail, claiming that the group used a Kubernetes cluster to attempt “widespread, distributed and anonymized” brute force attacks against organizations to get access to protected data like emails, as well as account credentials that could be used for access, persistence and other ends in future hacks. Those credentials were used to exploit unpatched Microsoft Exchange servers still vulnerable to damaging remote code execution weaknesses discovered earlier this year. They also directed a “significant amount” of their focus to organizations that use Microsoft Office365 cloud services, though other cloud and on premise email servers were not safe either.
Fancy Bear doesn’t appear to be leveraging any new zero-day exploits in the campaign, instead relying on tried-and-true tactics like password spraying while exploiting publicly known (but unpatched) vulnerabilities like those affecting Microsoft Exchange.
While the group uses a number of obfuscation and stealth tactics, NSA said “many detection opportunities remain viable to identify the malicious actor.” The Kubernetes cluster used to carry out the attacks used the TOR onion router to hide their true location and metadata, while also leveraging commercial VPN services like CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark and WorldVPN. The advisory identifies at least 10 different nodes associated with the cluster’s brute force attacks.
“This two year brute force campaign is likely ongoing – you can counter it by using strong authentication measures,” Rob Joyce, the NSA’s director of cybersecurity said after the alert was published. “Adding multi-factor authentication will go a long way in remediating the threat.”
In addition to multi-factor authentication, the agencies also recommend implementing time out or lock out features for password authentication, checking current passwords against existing password dictionaries to root out weaker candidates, changing default credentials and use automated tools to audit access logs for suspicious or malicious behaviors. Larger security overhauls like implementing network segmentation and incorporating zero trust architecture were also recommended.
John Hultquist, vice president of intelligence for Mandiant, said in a statement that the Russian hacking group is known for targeting politicians, military institutions and their support structures to gather intelligence. Hultquist and other threat intelligence experts say this sort of digital spying, while damaging, is common among countries and falls under traditional definitions of espionage.
“The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns,” said Hultquist. “Despite our best efforts we are very unlikely to ever stop Moscow from spying.”