The authorities in the United States and UK – the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the UK’s National Cyber Security Centre (NCSC) have released a ‘Cybersecurity Advisory‘ on malicious cyber activities by Russia.
“Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” points to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
The document sets out how Russian military intelligence from at least mid-2019 until early 2021 has targeted hundreds of organisations using brute force access to penetrate government and private sector networks. The advisory covers the tactics, techniques, and procedures (TTPs) GTsSS actors used in their campaign to exploit targeted networks, access credentials, move laterally, and collect and exfiltrate data. The Russians’ aim: the actors to evade cyber defences and collect and exfiltrate various information in the networks, including mailboxes.
The NCSC has published advice for defending against such attacks, covering MFA (multi-factor authentication) for online services; and password administration for system owners.
Visit NSA.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/.
Comment
Tom Jermoluk, CEO of Beyond Identity says: “Russian GRU agents and other state actors like those involved in SolarWinds – and a range of financially motivated attackers (e.g., ransomware) – all use the same “password spraying” brute force techniques. Why? Because they are so effective. Unfortunately, a misunderstanding of this technique is leading to shockingly flawed advice like the that given in the NSA advisory which, in part, recommends “mandating the use of stronger passwords”. The credential-gathering that preceded the password spraying campaign most certainly collected short and strong passwords. And the Russian Kubernetes cluster used in the attack was capable of spraying “strong passwords.” The government went on to recommended a “Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses”. This sage advice requires a move to strong, continuous authentication. It also requires organisations to eliminate passwords because they are so completely compromised that you simply cannot achieve Zero Trust with them.”
For more on the Solarwinds cyber breach and US President Joe Biden’s work so far on cyber see the July print edition of Professional Security magazine.
