The NSA, CISA, FBI, and NCSC issued a joint report warning of a continued brute-force login campaign conducted by Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165 — also known as Fancy Bear or APT28. The unit is using a Kubernetes cluster to conduct distributed and anonymized brute force login attacks, including password spray attacks, against a wide variety of organizations. Attacks against hundreds of government and private sector entities have been documented, including educational institutions, think tanks, political groups, power and infrastructure companies, law firms, and media organizations. The report summarizes known post-exploitation TTPs and offers sample detections of limited utility based on previously identified malware and IP addresses.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased