Posted on July 3, 2021 at 5:59 PM
One of the most recent attacks by Russian threat actors was the SolarWinds campaign that resulted in significant losses. However, the campaign brought into light some of the sophisticated techniques these hackers are employing to espionage.
Even after the SolarWinds attack, Russian threat actors are still active and looking for more loopholes they can exploit to spy on various institutions. The hackers use sophisticated tools to detect any vulnerability they can exploit to gain information about the US and other global institutions.
A Warning of a brute-force intrusion
On July 1, the FBI, the NSA, the Cybersecurity and Infrastructure Security Agency and the UK’s National Cybersecurity Centre warned of attempted brute-force attacks through a joint advisory. The attacks happening worldwide were attributed to Unit 26165 of Russia’s GRU military intelligence agency, popularly known as Fancy Bear.
The hacking attacks by Fancy Bear have been targeted to government organizations, military bodies, defence contractors, political parties, logistic firms, energy institutions, education institutions, law firms, press companies and more. The range of attacks targets almost every institution that accesses the internet.
Fancy Bear seems to have ditched sophisticated techniques and is now using basic strategies to attack the said organizations. This includes guessing login credentials and passwords to gain access. However, these basic techniques have enabled Fancy Bear to access several organizations and even retrieve emails.
According to Rob Joyce, the NSA’s director of cybersecurity, “This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,”
Out of all the SVR intelligence spies, the Fancy Bears unit is affiliated with some of the most devastating hacking attacks. One of these attacks includes hacking the Clinton Campaign in 2016 and leaking sensitive information. The organization has also previously hacked into the Worldwide Anti-Doping Agency and the Olympic International Organization Committee.
Another Espionage Attempt
Despite using a different strategy this time, John Hultquist, the vice president of Mandiant security firm, believes that the attack is still linked to the usual espionage attempts. In his statement, Hultquist says, “These intrusions don’t necessarily presage the shenanigans that we think of when we think of the GRU.”
However, Hultquist still warns that the hacking attempts should still be concerning, and organizations must assess and repair all vulnerabilities. According to him, the joint advisory statement was to inhibit the success of the campaign. The statement issued by the joint bodies mentioned the malware used by the threat actors and their IP addresses.
While the advisory did not reveal any considerable amount of damage done, the statement still helped create awareness that fancy Bears and Kremlin hackers were still in operation. Besides, the statement also helped shed light on the main parties targeted, which are diplomats, legislatures and military departments.
Moreover, Hultquist said it was concerning that the actors were also targeting energy companies. Early last year, the US Department of Energy stated a planned hack on an energy firm. The hack was linked to the IP addresses of Fancy Bears.
In addition, Sandworm, another Kremlin hacking group, is the only group linked to causing blackouts after attacking Ukraine in 2015 and 2016. While Hultquist believes that the recent brute-force intrusion may be another espionage attempt, he believes that Russia has a great interest in energy departments and “that’s going to be part of their intelligence collection requirements.”
Another argument by Joe Slowik of Gigamon security firm states that the brute-force attack was not targeted to any specific organization but was instead an opportunistic attack. According to Slowik, the Russian threat actors could be working blindly, trying to find the access details of any network.
Once Fancy Bears finds the details, it could be passing it on to other sophisticated Kremlin hackers who were now tasked with conducting a targeted attack. In his own words, Slowik stated that “They’re tasked with ‘go forth and get us points of access in organizations of interest.” “Then they sit on it or pass it on to parties who take care of more involved intrusions, based on whatever access they’re able to turn up.”
With Kremlin hackers not expected to do away with their espionage attempts soon, the joint advisory calls for vigilance and the utmost care from organizations handling sensitive data.