wordpress blog stats
Connect with us

Hi, what are you looking for?

NSA claims Russia used ‘brute force’ hacking methods to target govt organisations; Russia denies allegations

Since brute force capabilities allow access to protected data like account credentials, using multi-factor authentication is one way of mitigating such a cyber attack.

Intelligence and security agencies from the United States of America and the United Kingdom claimed that Russia conducted cyberattacks to compromise enterprise and cloud environments including that of Microsoft from mid-2019 through early 2021. Since then, Russia has denied the claims published in a report by the USA’s National Security Agency and others.

The report “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” said that since at least mid-2019 through early 2021, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes cluster to conduct brute force access attempts against hundreds of government and private sector targets all over the world. The attacks were perpetrated by using Microsoft Office 365 cloud services, but the report added that it also targeted other service providers.

The other investigating agencies involved in the fabrication of the report were the USA’s Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the United Kingdom’s National Cyber Security Centre.

How do such cyber attacks happen?

  • This brute force capability would allow the 85th GTsSS actors to access protected data, including email, and identify valid account credentials.
  • These credentials may have then been used for access, persistence, privilege escalation, and defence evasion.
  • The actors could have exploited publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and further access to target networks.
  • After gaining remote access, many well-known tactics, techniques, and procedures (TTP) could have been combined to move laterally, evade defences, and collect additional information within target networks.

Who were the targets of these attacks?

The report claimed that hundreds of U.S. and foreign organisations worldwide, including the US government and Department of Defense entities were targeted in the attack. Types of targeted organisations include:

  • Government and military organisations
  • Political consultants and party organisations
  • Defence contractors
  • Energy companies
  • Logistics companies
  • Think tanks
  • Higher education institutions
  • Law firms
  • Media companies

How to mitigate this particular cyber attack?

According to the report —

  • Use multi-factor authentication with strong factors that require regular re-authentication
  • Enable time-out and lock-out features whenever password authentication is needed.
  • Use services that deny the application of commonly used passwords
  • Utilise captchas to hinder automated access attempts.
  • Change all default credentials and disable protocols that use weak authentication
  • Employ appropriate network segmentation and restrictions to limit access
  • Use automated tools to audit access logs for security concerns and identify anomalous access requests.

Russia denies involvement in cyber attacks

The Russian Embassy in the United States has rejected the alleged involvement of the Russian authorities in the cyberattacks perpetrated against government and private facilities.

“We strictly deny the involvement of Russian government agencies in attacks on government and private facilities in the United States and abroad. We emphasize that fighting against cybercrime is an inherent priority for Russia and an integral part of its state policy to combat all forms of crime. A wide range of law enforcement instruments is used for its implementation,” the Russian embassy wrote on its Facebook page late Thursday.

Advertisement. Scroll to continue reading.

“We hope that the American side will abandon the practice of unfounded accusations and focus on professional work with Russian experts to strengthen international information security, and in this context, on joint efforts to combat cybercrime. Besides, it’s high time to put things in order on the American soil, from where constant attacks on critical infrastructure in Russia emerge — Russian Embassy

Indian CERT issued a similar advisory on Kubernetes exploitation

On June 14, the Indian Computer Emergency Response Team (CERT-IN) said that a new category of malware is targeting misconfigured Kubernetes clusters through Windows containers to compromise cloud environments.

“The malware variant gains initial access by exploiting vulnerabilities in common cloud applications or a vulnerable web page or database and then utilises windows container escape techniques, executes code on the underlying node and then spreads in poorly configured Kubernetes clusters to open a backdoor in order to run/deploy malicious containers,” the Indian CERT said in an advisory.

Although the NSA report and the Indian CERT advisory contain some similarities, it is not clear whether they are the same exploits, and the latter does not make a mention of any country perpetrating the attacks.

Proactively monitor for anomalies, says expert

Smith Gonsalves, the Director of CyberSmithSECURE, a security firm providing VAPT & red teaming Security services said that enterprises should ensure that all their public-facing web application & API endpoints should be proactively monitored for anomalies along with routing all the client-side requests through a web application firewall.

“It is also important to watch for an indicator of compromise (IOC) and share the necessary (information) among the relevant security groups of companies to ensure blocking of the same. Also, it is advised that companies whose code execution vulnerabilities aren’t fixed seem to be an easy target. Therefore, vulnerability mitigation and penetration testing should be taken forward on a priority basis to mitigate the risk,” Gonsalves added.

Also read

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

News

The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.

News

In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?

News

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.

News

The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ