- “This is a good reminder that the GRU remains a looming threat, which is especially important given the upcoming Olympics, an event they may well attempt to disrupt,” observed John Hultquist, VP of Analysis at Mandiant Threat Intelligence.
By Brad D. Williams, Breaking Defense, July 01, 2021
The US and UK governments today revealed a cyberespionage campaign conducted by Russia that is targeting “hundreds of organizations” worldwide, with a focus on US and European governments, militaries, and defense contractors. The advisory names the Department of Defense as a known target.
“These efforts are almost certainly still going on,” warns the joint adversary issued by the NSA, CISA, and the FBI in the US, as well as the UK’s National Cyber Security Centre.
The advisory attributes the campaign to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. GRU is distinct from the Russian Foreign Intelligence Service (SVR), which the US government said was behind the SolarWinds cyberespionage campaign.
“This is a good reminder that the GRU remains a looming threat, which is especially important given the upcoming Olympics, an event they may well attempt to disrupt,” observed John Hultquist, VP of Analysis at Mandiant Threat Intelligence.
“APT28 [Mandiant’s name for this threat actor] conducts intelligence collection against these targets regularly as part of its remit as the cyber arm of a military intelligence agency,” Hultquist said. “The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry, and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns. Despite our best efforts, we are very unlikely to ever stop Moscow from spying.”
The primary purpose of this campaign appears to be cyberespionage. The advisory notes that GRU is targeting cloud-based software and services such as Microsoft Office 365 — used widely across the federal government — as well as on-premise Microsoft Exchange email servers.
A simplified cyber kill chain — the term cyber pros use to describe the methods employed to conduct a hack — based on the advisory is as follows:
- Gain initial network access via account log-ins by password brute-force cracking or spraying from a Kubernetes cluster hosted in the cloud. Kubernetes is a technology that stores cloud-based software — presumably cracking and spraying apps in this case.
- Use known vulnerabilities — CVE 2020-0688 and CVE 2020-17144 — to establish persistent access and escalate privileges, which means gaining administrative control of servers and systems.
- Move laterally across networks, gaining additional credentials and escalating privileges.
- Use cloud service accounts via valid credentials or a web shell (reGeorg variant) to maintain persistence. Web shells are malicious scripts that enable persistent access, remote code execution, adding/deleting/modifying files, moving laterally across networks, and other functions.
- Exfiltrate data, to include emails, files from local systems, files from network shared drives, and various information repositories.
The advisory notes that the threat actors are using encrypted traffic via the Tor network and virtual private networks (VPNs) to conceal activities, including data exfiltration. They are also using techniques to “live off the land,” a term that means malicious actors use legitimate tools that don’t alert security experts to conceal activities on a victim’s network.
The advisory then provides some mitigation guidance — most of which Breaking Defense readers know: Use strong account passwords, enable multifactor authentication wherever possible, apply access controls to include account time-out/lock-out, patch software, and implement zero-trust security principles as broadly as possible across networks.
This story first appeared in Breaking Defense, https://breakingdefense.com/2021/07/us-uk-warn-of-new-worldwide-russian-cyberespionage/?utm_campaign=Breaking%20News&utm_medium=email&_hsmi=137738487&_hsenc=p2ANqtz-8pxDm89wDcvBxbDB1z4_5CapEIwZr-WiUMmvc0gPDwZIsxFaTbIqTgEx4d94UtYZX9vO1nTWam6p9GQ8QCd-f8eXmpow&utm_content=137738487&utm_source=hs_email