According to a joint advisory from the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and U.K.’s National Cyber Security Centre (NCSC), hackers from the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit – widely known as Fancy Bear or APT28 – utilized Kubernetes clusters to infiltrate targets in their global brute force campaign from mid-2019 through early 2021.
The brute force technique is not new, according to the advisory. But, the 85th GTsSS uniquely leveraged software containers to scale its brute force attempts efficiently, the agencies said.
By utilizing Kubernetes – an open-source container-orchestration system for automating computer application deployment, scaling, and management – hackers more efficiently gain access to credentials to gain further access into their target organizations. They also use anonymization tools, like virtual private networks (VPNs), to cover their tracks. This allowed the hackers to evade defenses and collect and exfiltrate various information in the networks, including mailboxes, the security agencies said.
The 85th GTsSS targeted many organizations using Microsoft Office 365 cloud services, but they also targeted other service providers and on-premises email servers. They have already targeted hundreds of U.S. and foreign organizations worldwide. Targets include government and military organizations, political consultants and party organizations, defense contractors, energy and logistics companies, think tanks, higher education institutions, law firms, and media companies globally, particularly those located in the U.S. and Europe.
According to an NSA press release, this lengthy brute force campaign to collect and exfiltrate data, access credentials, and more is likely ongoing on a global scale. Therefore, network managers should use multi-factor authentication and the additional mitigations in the advisory to counter this activity.
The advisory shared other indicators of compromise and mitigation measures beyond multi-factor authentication and other zero-trust practices to combat these malicious actors. Additionally, they said organizations should implement a zero-trust security model to use additional attributes when determining access and analytics to detect irregular accesses. Network managers also should enable time-out and lock-out features when password authentication is needed, and use CAPTCHAs to deny automated attempts.