Skip to content

Illustration by Security Management

Russian Intelligence Services Conducting Global Brute Force Campaign, UK and U.S. Agencies Warn

Russian intelligence services are engaging in a global brute force campaign to penetrate government and private sector networks. The campaign began in mid-2019 and is ongoing, according to a joint cybersecurity advisory issued Thursday.

Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) is behind the campaign, which has targeted hundreds of U.S. and foreign organizations, the U.S. National Security Agency (NSA) said in a press release. GTsSS is also known in the private sector as Fancy Bear, APT28, Strontium, and other names.

“Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords,” the NSA said. “While the brute force technique is not new, the GTsSS uniquely leveraged software containers to easily scale its brute force attempts.”

The GTsSS found valid credentials and then combined them with other publicly known vulnerabilities to gain access to victim networks. This allowed the GTsSS to bypass network defenses and collect and exfiltrate information from victim networks.

“Targets have been global, but primarily focused on the United States and Europe,” according to the NSA. “Targets include government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks.”

GTsSS, Fancy Bear, was behind the Democratic National Committee and Clinton campaign compromises in 2016, as well the intrusion into the Olympic International Organization Committee and the Worldwide Anti-Doping Agency. In an interview with WIRED, however, Mandiant Vice President John Hultquist said the brute force campaign is likely tied to traditional espionage.

“These intrusions don’t necessarily presage the shenanigans that we think of when we think of the GRU,” Hultquist said. “It’s a good reminder that GRU is still out there, carrying out this kind of activity, and it appears to be focused on more classic espionage targets like policymakers, diplomats, and the defense industry.” 

The UK National Cyber Security Centre (NCSC) joined the U.S. NSA, Cybersecurity and Infrastructure Security Agency (CISA), and the FBI in issuing the warning about Russia’s activity and pushing out advice for network defenders to protect their systems.

Included were recommendations to adopt and expand multi-factor authentication usage, creating strong access controls to include time-out and lock-out features, implementing a Zero Trust security model, and mandatory use of strong passwords.

“Additionally, organizations can consider denying all inbound activity from known anonymization services, such as commercial virtual private networks (VPNs) and The Onion Router (TOR), where such access is not associated with typical use,” the advisory said.