The NSA, CISA, FBI, and NCSC issued a joint report warning of a continued brute-force login campaign conducted by Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165 — also known as Fancy Bear or APT28. The unit is using a Kubernetes cluster to conduct distributed and anonymized brute force login attacks, including password spray attacks, against a wide variety of organizations. Attacks against hundreds of government and private sector entities have been documented, including educational institutions, think tanks, political groups, power and infrastructure companies, law firms, and media organizations. The report summarizes known post-exploitation TTPs and offers sample detections of limited utility based on previously identified malware and IP addresses.
If they have not been already updated, threat models need to be revised to include nation state threat actors as possible attackers for organizations across a wide variety of industries and sizes. The documentation by these agencies illustrates that even smaller organizations may be targeted by advanced state-sponsored threat groups solely for potential information or access to higher value targets. Mitigations for the brute force attack include password complexity policies, Multi Factor Authorization, login timeouts and account lockouts, network segmentation and zero trust architectures, and denying inbound connections from anonymized networks such as commercial VPN and the TOR network. MFA alone, if instituted across all available access routes, would be sufficient to remove the effectiveness of a brute force campaign. However, advanced threats such as nation-state military groups have considerable resources to employ in utilizing vulnerabilities to access target networks. A proactive, robust defense in depth strategy, such as Binary Defense’s MDR, is necessary to maintain security in today’s threat environment.