The NSA issued a warning today that the Russian GRU section aka APT 28, Fancy Bear, (GRU) 85th Main Special Service Center (GTsSS) continues to operate an ongoing effort to break into US industry. Several industries are targeted in this ongoing attack including government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants, or political parties, and think tanks. The attack is now being launched at scale. "Once valid credentials were discovered, the GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. This, along with various techniques also detailed in the advisory, allowed the actors to evade defenses and collect and exfiltrate various information in the networks, including mailboxes.
FORT MEADE, Md. –
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) released a Cybersecurity Advisory today exposing malicious cyber activities by Russian military intelligence against U.S. and global organizations, starting from mid-2019 and likely ongoing. This advisory is being released as part of NSA’s routine and continuing cybersecurity mission to warn network defenders of nation state threats.
“Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks and then move internally inside of the target. The advisory reveals the tactics, techniques, and procedures (TTPs) GTsSS actors used in their campaign to exploit targeted networks, access credentials, move laterally, and collect and exfiltrate data. It also arms system administrators with the mitigations needed to counter this threat.
According to Recorded Future, "In particular, the agencies said that APT28 used the compromised account credentials in conjunction with exploits for Microsoft Exchange servers like CVE-2020-0688 and CVE-2020-17144, combining the two to gain access to internal email servers.
Fancy Bear targets a wide range of industries
The advisory warns system administrators that exploitation is almost certainly ongoing. Targets have been global, but primarily focused on the United States and Europe. Targets include government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks.
Full Release and description of targets and tactics: