Russian military intelligence has conducted a coordinated hacking campaign against “hundreds of government and private sector targets worldwide,” including energy companies, since 2019 that is “likely ongoing,” according to an advisory issued last week by several U.S. agencies including the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, along with the U.K.’s National Cyber Security Centre.
The organization implicated in the hacking operation is Unit 26165 of Russia’s Main Intelligence Directorate (GRU), which has gained a variety of nicknames from cybersecurity firms including Fancy Bear, APT28 and Strontium. Fancy Bear has been accused of perpetrating a number of cyber actions worldwide, including interfering in the 2016 U.S. presidential election, for which it was indicted by the Justice Department in 2018.
Targets are predominantly located in the U.S. and Europe, the agencies said, and include a wide range of industries such as logistics, media, law and higher education. Government and military organizations, political consultants and parties, and defense contractors were also attacked.
According to the advisory, the hackers used an open-source application called Kubernetes for their campaign. Kubernetes, originally developed by Google and now maintained by the Cloud Native Computing Foundation, is used for automating the deployment, scaling and management of applications via logical units called containers. The software’s developers claim it allows organizations to scale their operations “without increasing [their] ops team” and “deliver … applications consistently and easily no matter how complex” their needs are.
Over the past few years, the Fancy Bear team allegedly conducted a massive “password spray” campaign — a brute-force hacking technique where automated software repeatedly attempts to guess passwords for protected systems, using various combinations of known or leaked usernames and variations on common passwords. The use of Kubernetes software, not seen in previous hacking campaigns according to the agencies, allowed Fancy Bear to “easily scale its brute-force attempts.”
The Kubernetes service used by Fancy Bear typically routed its infiltration attempts through a number of pathways in order to hide their origin, including virtual private network (VPN) services and Tor, a part of the “dark web” that directs users’ internet traffic through virtual tunnels rather than a direct connection. Tor is often used to evade law enforcement, both by criminals and by whistleblowers and activists, to communicate anonymously with each other or with journalists.
After Entry, Hackers Expanded Access
Identifying valid credentials was just the first step for the hackers: Once inside the target network, Fancy Bear used a number of tactics, techniques and procedures (TTP) to expand its access and evade defenses. Most, but not all, of the TTPs used by the hackers exploited weaknesses in Microsoft services, including Office 365 and Exchange, and served a variety of purposes, from simple espionage to planting its own software in targets’ servers:
-
-
- Data collection — exfiltrating files from local systems, network shared drives and other information repositories
- Command and control — transferring files into target environments
- Defense evasion — renaming files containing stolen information and the apps used to spy on the target system in order to look like legitimate data
-
The agencies warned that detecting intrusions might be very difficult for organizations because of the attackers’ ability to disguise their origins and alter “specific indicators of compromise (IOC) … to bypass IOC-based mitigation.” Potential targets are suggested to block all inbound traffic from Tor nodes and VPN services unless such access is part of normal business use.
The agencies also recommended that organizations implement stronger credential measures, such as multifactor authentication, requiring regular reauthorization, and enabling time-out and lock-out features to prevent adversaries from making multiple guesses in a short time. Organizations can also use password services that warn users when they are using easily guessed passwords or passwords that have already been compromised, pushing them toward more complicated credentials.
Other useful mitigation measures include using network segmentation and restrictions to “limit access and utilize additional attributes (such as device information, environment, access path) when making access decisions,” with the goal of reaching a “zero-trust” model in which the organization treats all users, devices or traffic as inherently untrustworthy until proven otherwise. Organizations can also use automated tools to analyze access logs for suspicious access attempts.
Russia a Constant Cyber Threat
Cybersecurity has been a source of considerable tension in the U.S.-Russia relationship for some time, and GRU in particular is an ongoing irritant. In addition to the Fancy Bear indictments in 2018, the Justice Department last year indicted six officers from a different unit of the directorate — dubbed “Sandworm” or “Voodoo Bear” by some analysts — for multiple cyberattacks around the world, including the Ukraine power grid hacks of 2015 and 2017. (See Six Russians Charged for Ukraine Cyberattacks.)
In addition to state-sponsored cyberattacks, criminals based in Russia have been accused of several high-profile ransomware attacks this year, including the hack of Colonial Pipeline in May that led to the shutdown of the company’s entire fuel distribution network. (See Glick Calls for Pipeline Cyber Standards After Colonial Attack.) President Biden, meeting with Russian President Vladimir Putin last month, reportedly “laid down some clear markers” regarding his country’s willingness to respond should Russia “choose not to take action against criminals … attacking [U.S.] critical infrastructure from Russian soil.” (See King, Mandia Warn of ‘Unlimited’ Cyber Dangers.)
CISA is one of the key agencies in the struggle against these cyber intrusions, but its efforts have been complicated by the fact that Jen Easterly, Biden’s nominee to head the agency, remains unconfirmed by the Senate following her confirmation hearing in early June. (See Inglis, Easterly Define Roles in Confirmation Hearing.) The agency has been headed by acting Director Brandon Wales since former President Donald Trump fired founding Director Chris Krebs for refusing to back up Trump’s claims of fraud in the 2020 presidential election. (See After Contradicting Trump, Krebs Out at CISA.)
Easterly’s nomination has not advanced because of a hold placed by Sen. Rick Scott (R-Fla.), who pledged in May to block all the president’s nominees to the Department of Homeland Security until Biden or Vice President Kamala Harris visited the U.S. border with Mexico. Harris did so on June 25; Scott said he would lift his hold when she arrived at the border, but by that point the Senate had begun a two-week recess, meaning that Easterly’s confirmation vote cannot be held until next week at the earliest.
Not all of Biden’s cyber nominees have been stymied: Chris Inglis, the first national cyber director in the Executive Office of the President, started work last month after confirmation in the Senate.