Russian military hackers are brute forcing passwords in political cyber campaign

Joint UK/US report says GRU-linked attacks are mainly directed at organisations that use Microsoft 365

Hackers with links to Russia's military intelligence agency are currently engaged in a global campaign that is targeting prominent organisations in the US and Europe, including government entities, energy firms, media houses, think tanks and political parties.

That's according to an advisory [pdf] published jointly on Thursday by the US National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the UK's National Cyber Security Centre.

In the advisory, officials accuse Unit 26165 of Russia's GRU of being engaged in a global cyber-espionage campaign that is attempting to target 'hundreds' of American and European entities through brute-force attacks.

The purpose of these attacks is to steal sensitive information from the victims, it adds.

The campaign is almost certainly ongoing, according to officials, with hackers using automation techniques to scale up common password-guessing tactics.

The attacks are mainly directed at organisations that use Microsoft 365 cloud services.

On its website the NCSC says: "Global targets include government and military, defence contractors, energy companies, higher education, logistics, law firms, media, political consultants or political parties and think tanks."

As part of the campaign, threat actors were observed trying to compromise the passwords of people by repeatedly attempting different password combinations until they achieved access.

"Since at least mid-2019 through early 2021, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre (GTsSS), military unit 26165, used a Kubernetes cluster to conduct widespread, distributed, and anonymised brute force access attempts against hundreds of government and private sector targets worldwide," the advisory says.

"This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defence evasion."

In September 2020, Microsoft said that they had tracked hackers attempting to compromise passwords belonging to tens of thousands of accounts at about 200 entities, many of which were involved in the UK and US elections.

The attacks represented a potential election security threat ahead of the 2020 Presidential elections in the US, the company warned at the time.

The latest advisory did not mention any specific victims or reveal what kind of data may have been stolen by hackers. However, it advised organisations to "adopt and expand" protective techniques, including mandatory use of strong passwords, multi-factor authentication, and blocking all incoming internet traffic from Tor and commercial VPN services, to safeguard confidential data from threat actors.

The latest advisory from cyber security agencies comes more than two months after the US Treasury Department sanctioned six Russian technology firms in April for aiding government hackers engaged in "dangerous and disruptive cyber attacks".

The Department alleged that these firms were developing infrastructure and tools, providing expertise, and carrying out malicious cyber activities on behalf of Kremlin Intelligence Services.

In April, the US also formally named Russia's Foreign Intelligence Service (SVR) as the perpetrator of the cyber espionage campaign that exploited the SolarWinds Orion platform and other IT infrastructures in the US.

The White House said the US intelligence community has high confidence that SVR, also known as Cozy Bear, APT 29, Nobelium and The Dukes, was behind the SolarWinds attacks.