US and British agencies have revealed details of “brute force” methods used by Russian intelligence to break into the cloud services of hundreds of government agencies, energy companies and other organisations.
An advisory released by the US National Security Agency (NSA) describes attacks by operatives linked to the GRU, the Russian military intelligence agency, which has been tied to major cyberattacks abroad and efforts to disrupt the 2016 and 2020 US elections.
In a statement, NSA cybersecurity director Rob Joyce said the campaign was “likely ongoing, on a global scale”.
Brute force attacks involve the automated spraying of sites with potential passwords until hackers gain access.
The advisory, which was jointly issued with the British National Cyber Security Centre, urges companies to adopt methods recommended by experts as common-sense cyber hygiene, including the use of multi-factor authentication and mandating strong passwords.
Issued during a devastating wave of ransomware attacks on governments and key infrastructure, the advisory does not disclose specific targets of the campaign or its presumed purpose, saying only that hackers have targeted hundreds of organisations worldwide.
The NSA says GRU-linked operatives have tried to break into networks using Kubernetes, an open-source tool originally developed by Google to manage cloud services, since at least mid-2019.
While a “significant amount” of the attempted break-ins targeted organisations using Microsoft’s Office 365 cloud services, the hackers went after other cloud providers and email servers as well, the NSA said.
The US has long accused Russia of using and tolerating cyberattacks for espionage, spreading disinformation, and the disruption of governments and key infrastructure.
Joe Slowik, a threat analyst at the network-monitoring firm Gigamon, said the activity described by NSA on Thursday shows the GRU has further streamlined an already popular technique for breaking into networks.
He said it appears to overlap with Department of Energy reporting on brute force intrusion attempts in late 2019 and early 2020 targeting the US energy and government sectors and is something the US government has apparently been aware of for some time.
Mr Slowik said the use of Kubernetes “is certainly a bit unique, although on its own it doesn’t appear worrying”.
He said the brute force method and lateral movement inside networks described by NSA are common among state-backed hackers and criminal ransomware gangs, allowing the GRU to blend in with other actors.
John Hultquist, vice president of analysis at the cybersecurity firm Mandiant, characterised the activity described in the advisory as “routine collection against policy makers, diplomats, the military, and the defence industry”.
“This is a good reminder that the GRU remains a looming threat, which is especially important given the upcoming Olympics, an event they may well attempt to disrupt,” Mr Hultquist said.
The FBI and the Cybersecurity and Infrastructure Security Agency also joined the advisory.
The GRU has been repeatedly linked by US officials in recent years to a series of hacking incidents.
In 2018, special counsel Robert Mueller’s office charged 12 military intelligence officers with hacking Democratic emails that were then released by WikiLeaks in an effort to harm Hillary Clinton’s presidential campaign and boost Donald Trump’s bid.
More recently, the Justice Department announced charges last autumn against GRU officers in cyberattacks that targeted a French presidential election, the Winter Olympics in South Korea and American businesses.