Dive Brief:

• Federal authorities said a unit of the Russian General Staff Main Intelligence Directorate (GRU) used a Kubernetes cluster to run a massive brute force campaign against hundreds of enterprises and cloud environments in the U.S. and Europe since 2019, according to a joint advisory issued by the National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre in the U.K.
• Attackers designed the campaign to access protected data, including emails and valid account credentials, according to the advisory. Those credentials were then used to exploit known vulnerabilities in Microsoft Exchange, including CVE-2020-0688 and CVE-2020-17144 to enable remote code execution. 
• The threat actor targeted a significant portion of the campaign against entities using Microsoft Office 365 as well as other cloud services and on-premises email servers, according to the advisory. 

Dive Insight: 

The attacks appear to show a highly sophisticated threat actor, previously attributed to Fancy Bear or APT 28, using relatively conventional tactics to cut a wide swath of destruction in Western military and industrial interests. 

"Russia's campaign is yet another example of the relative ease in which attackers can gain a presence in the environment," said Jeff Barker, vice president of cybersecurity at Illusive. "Ironically it's not the breach that is the biggest challenge, rather the lateral movement and privilege escalation that enables the attacker to achieve their mission of intellectual property theft/extortion."

The advisory demonstrates that while the Russian GRU has a reputation as being extremely advanced from a tactical perspective, adversaries have for years used many of the behaviors seen in the report. Those defending their networks still have a good chance to detect these activities ahead of any long-term impact, according to Katie Nickels, director of intelligence at Red Canary.

"End users having layers of authentication beyond just a username and password to log in makes it more difficult for adversaries to gain initial access," Nickels said. 

Companies should focus on strengthening their IT systems to make sure only authorized users are able to access accounts, according to federal officials. 

"The two-year campaign by Russian military intelligence, which we believe is ongoing, highlights the need for every organization to protect their networks against password spraying and other cyberthreats," Eric Goldstein, executive assistant director for cybersecurity at CISA, said via email. "This includes enabling multifactor authentication and other proven security measures listed in our joint advisory."

CISA and its other partners will continue to share cyberthreat information designed to disrupt such activity and help organizations protect their networks, both here in the U.S. and globally, Goldstein said.

The advisory comes less than a week after Microsoft disclosed a password spraying and brute force attack attributed to Nobelium — the threat actor behind the SolarWinds campaign — that targeted its customer service agent. 

Ryan Sydlik, security engineer at Telos Corporation, agrees organizations should take steps to make it more difficult for an adversary to gain access through authentication. Beyond multifactor authentication, other preventative measures include enabling time-out/lock-out features, preventing the use of common words used in a dictionary as passwords, using CAPTCHAs and making sure to change all default credentials to something unique.