Russia’s military intelligence is carrying out a two-year-old cyber campaign that is largely targeted against government and private sector entities in the U.S. and Europe, including military organizations and defense contractors, a joint U.S. and United Kingdom advisory warns.
The Cybersecurity Advisory describes the tactics, techniques and procedures used by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center in targeting hundreds of entities through “brute force” to gain access to government and private sector networks. The advisory was released on Thursday by the National Security Agency, Cybersecurity and Infrastructure Security Agency, FBI and the U.K.’s National Cyber Security Centre.
The types of organizations targeted include government and military, political consultants and parties, defense contractors, energy companies, logistics companies, think tanks, higher education institutions, law firms and media companies.
After finding valid credentials through its brute force techniques, the GRU also exploited “publicly known vulnerabilities” to access victim networks, evade defenses and exfiltrate data, the advisory says.
The GRU’s cyber campaign began in mid-2019 and is “likely ongoing,” the advisory says. Other names given to the malicious cyber actor include Fancy Bear, APT28 and Strontium.
“NSA encourages Department of Defense, National Security Systems, and Defense Industrial Base system administrators to immediately review the indicators of compromise included in this advisory and apply the recommended mitigations,” the advisory says. “The most effective mitigation is the use of multi-factor authentication, which is not guessable during brute force attempts.”