Authorities in the U.S. and the U.K. today issued a new alert warning that a Russian hacking group is conducting a campaign of brute-force attacks to gain access to networks and steal data.

The alert, issued by the U.S. National Security Agency, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the Federal Bureau of Investigation and the U.K. National Cyber Security Center, relates to a campaign from Russian military intelligence. The hacking group, run by the Russian General Staff Main Intelligence Directorate 85^th Main Special Service Center, is best known as Fancy Bear but is also known by names that include APT28 and Strontium.

According to an explanatory document, the Russian group has been found using a Kubernetes cluster to conduct widespread, distributed and anonymized brute force access attempts against hundreds of government and private sector targets worldwide. The campaign has seen a significant amount of activity targeted at organizations using Microsoft Corp.’s Office 365 clouds services, although it’s noted that it’s also targeting other service providers and on-premises email servers using a variety of protocols.

“Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords,” the alert noted. “While the brute force technique is not new, the GTsSS uniquely leveraged software containers to easily scale its brute force attempts.”

Along with using brute-force attacks to identify account credentials, the actors are also exploiting publicly known vulnerabilities such as unpatched Microsoft Exchange servers with vulnerabilities known formally as CVE-2020-0688 and CVE-2020-17144. These are different vulnerabilities than those that were at the center of a hacking campaign targeting Exchange servers by Chinese hackers in March. That campaign resulted in an emergency task force.

Once the actors obtain remote code execution and further access, they then deploy well-known tactics, techniques and procedures to move laterally, evade defenses and collect additional information within a targeted network.

“Network managers should adopt and expand usage of multifactor authentication to help counter the effectiveness of this capability,” the alert noted. “Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access and analytics to detect anomalous accesses.”

Photo: quinnanya/Flickr