US, UK Officials: Russian Military Leveraging Containers in Active Hacking Campaign

Hackers from a Russian military unit are using automation technology to scale common password-guessing tactics and have successfully infiltrated their targets, according to a joint advisory from the National Security Agency, the Cybersecurity and Infrastructure Security Agency, the FBI, and the United Kingdom’s National Cyber Security Centre.

“Since at least mid-2019 through early 2021, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes® cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide,” reads the advisory released Thursday. “GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers. These efforts are almost certainly still ongoing.”

Kubernetes is an open-source system used to manage applications by packing everything needed to run them in an easily deployable image format referred to as a container. The hackers are using the system to more efficiently gain access credentials they then use to make their way further into target organizations while covering their tracks with anonymization tools like virtual private networks and The Onion Router software, or TOR.

“Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords,” according to the NSA’s press release. “While the brute force technique is not new, the GTsSS uniquely leveraged software containers to easily scale its brute force attempts. Once valid credentials were discovered, the GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. This, along with various techniques also detailed in the advisory, allowed the actors to evade defenses and collect and exfiltrate various information in the networks, including mailboxes.”

The targets include government and military organizations, political consultants and party organizations, defense contractors, energy and logistics companies, think tanks, higher education institutions, law firms and media companies, particularly those in the U.S. and Europe, the agencies said.

The advisory lists specific VPNs the hackers have used in trying to shield their identity and says organizations “should consider denying all inbound activity from known TOR nodes and other public VPN services to exchange servers or portals where such access is not associated with typical use.”

But there were instances where the hackers did not use anonymization tools, according to the advisory which lists 10 IP addresses officials identified as being associated with the Kubernetes cluster that made the brute force authentication attempts between November 2020 and March 2021.

The advisory also shares other indicators of compromise and mitigation measures beyond commonly recommended multi-factor authentication and other zero-trust practices. 

Organizations should enable time-out and lock-out features whenever password authentication is needed, use CAPTCHAs to deny automated attempts, automate access log audits and consider services that check passwords against public dictionaries and deny implementation of ones that are commonly used, for example.  

“This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” Rob Joyce, NSA’s director of cybersecurity said in the press release. “Net defenders should use multi-factor authentication and the additional mitigations in the advisory to counter this activity.”