A group of top agencies in the United States and United Kingdom on Thursday warned of an ongoing campaign by Russian government-backed hackers using “brute force” hacking techniques to target hundreds of organizations around the world.
The FBI, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.K.’s National Cyber Security Centre issued a joint advisory outlining the hacking campaign, ongoing since 2019 and carried out by the Russian General Staff Main Intelligence Directorate (GRU).
The GRU, an advanced persistent threat organization, has used what the agencies described as “brute force access attempts” against the targeted organizations over the past two years.
The hundreds of organizations targeted by the hacking efforts are primarily based in the United States and Europe. They include government and military agencies, such as the U.S. Department of Defense, along with political groups, think tanks, defense contractors, energy companies, logistics companies, media outlets, law firms and higher education institutions.
The hackers were able to access account credentials, such as email logins, for these groups and according to the advisory use them for “a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.”
“After gaining remote access, many well-known tactics, techniques, and procedures (TTPs) are combined to move laterally, evade defenses, and collect additional information within target networks,” the advisory warns.
The same Russian hackers have been linked to hacking into Democratic National Committee’s networks ahead of the 2016 U.S. presidential election, and more recently to targeting pharmaceutical companies and COVID-19 vaccine researchers during the pandemic.
John Hultquist, the vice president of analysis at cybersecurity group FireEye’s Mandiant Threat Intelligence, said in a statement provided to The Hill on Thursday that the Russian hacking group involved “conducts intelligence collection against these targets regularly as part of its remit as the cyber arm of a military intelligence agency.”
“The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns,” Hultquist said.
The new advisory was issued on the heels of escalating cyberattacks on critical U.S. organizations either linked to the Russian government or to Russian-speaking cyber criminals likely being harbored by the nation, raising U.S.-Russian tensions.
The SolarWinds hack, discovered in December, involved Russian government-backed hackers exploiting a software update from IT group SolarWinds to compromise its customers, which included nine federal agencies and 100 private sector groups.
More recently, ransomware attacks on Colonial Pipeline, which provides 45 percent of the East Coast’s fuel supply, and on JBS USA, the nation’s largest provider of beef, were linked by the FBI to Russian cyber criminals.
President Biden levied sanctions on Russia in April for both the SolarWinds hack and efforts to interfere in U.S. elections, and raised both this attack and ransomware concerns with Russian President Vladimir Putin during their in-person summit in Switzerland last month. Biden has also publicly warned that he will take further steps against the Russian government if the hacking activity continues.
Despite these steps, Russia remains a key threat actor in cyberspace, alongside other nations including China, Iran and North Korea.
“Despite our best efforts we are very unlikely to ever stop Moscow from spying,” Hultquist noted.