The US’ National Security Agency (NSA) warns that Russian state-backed hackers are conducting mass attacks on American networks in an attempt to steal sensitive email and files.
The National Security Agency revealed today that a GRU unit called the 85th Main Special Service Centre (GTsSS), military unit 26165, better known as APT28, is using a Kubernetes cluster to carry out password spray attacks on US and foreign entities. Among them, such state bodies as the US government and Department of Defense agencies. The types of entities targeted by the attacks vary widely, but some of these include political parties, military organizations, universities, think tanks, and media and energy companies.
“GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers,” says the NSA advisory.
The attacks are designed to exploit the accounts that are used to access corporate networks. They use cloud services such as Microsoft 365 to gain initial access.
“The 85th GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing.”
As part of their campaigns, the attackers are using various exploits, such as the Microsoft Exchange CVE-2020-0688 and CVE-2020-17144. Once they gain access to the network, they will spread laterally and install a reGeorg web shell to enable them to steal files and collect credentials.
As the attackers gain further access to the credentials, they can exfiltrate sensitive data from Office 365 inboxes.
The Kubernetes cluster obfuscates the origin of its attacks by performing brute force attacks through various external services, such as Tor and VPNs (CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN).
However, the NSA says from November 2020 to March 2021, attackers did not use anonymization services, and researchers managed to obtain the following IP addresses used by GTsSS’ Kubernetes cluster:
158.58.173[.]40 185.141.63[.]47 185.233.185[.]21 188.214.30[.]76 195.154.250[.]89 93.115.28[.]161 95.141.36[.]180 77.83.247[.]81 192.145.125[.]42 193.29.187[.]60
A complete list of known TTPs, including a Yara rule to detect the reGeORG web shell, can be found in the NSA’s cybersecurity bulletin.