Discovery Russia’s devastation SolarWinds espionage Focus on the complex Supply chain hijacking Techniques of foreign intelligence hackers in Moscow.But now it’s clear that throughout the process SolarWinds espionage And its consequences, another group of Kremlin hackers continue their daily work, using basic but usually effective techniques to pry open almost any vulnerable network they can find on the Internet in the United States and the world.
On Thursday, the National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and the UK National Cyber Security Center issued a Joint consulting Warns of hundreds of attempts to brute force hacker intrusions around the world, all of which were carried out by the 26165 branch of the Russian GRU military intelligence agency. The well-known fancy bear Or APT28. The hacking activities target a wide range of organizations, including government and military agencies, defense contractors, political parties and consulting companies, logistics companies, energy companies, universities, law firms, and media companies. In other words, almost all areas of interest on the Internet.
Hackers use relatively basic techniques for these targets, collectively guessing user names and passwords to gain initial access. But cybersecurity agencies warned that the Fancy Bear campaign still successfully compromised multiple entities and stolen emails from them — and it’s not over yet. Rob Joyce, director of cybersecurity at the US National Security Agency, wrote in a statement: “Such prolonged violent activities such as collecting and leaking data and access credentials may be taking place on a global scale.”
GRU’s Unit 26165 has more spies than the SVR intelligence agency performing SolarWinds activities and has a history of highly destructive hacker attacks. Fancy Bear is behind the hackers and leaks In 2016, for everyone on the Democratic National Committee and the Clinton campaign To Olympic International Organizing Committee and World Anti-Doping AgencyBut John Hultquist, vice president of security company Mandiant and long-term GRU tracker, said that there is no reason to believe that the intentions of this latest effort go beyond traditional espionage.
“When we think of GRU, these invasions don’t necessarily herald the hoaxes we think of,” Hultquist said. But this does not mean that hacking activities are not important. He believes that the joint announcement, which lists the IP addresses and malware used by hackers, attempts to add “friction” to successful intrusions. “This is a good reminder that the GRU is still doing this kind of activity there, and it seems to be focusing on more classic espionage targets, such as policymakers, diplomats, and the defense industry.”
Incorporating energy sector targets into this hacking campaign raises additional red flags, especially considering Sandworm, another GRU hacker team, Is still the only hacker who triggered the actual power outage, Destruction of Ukrainian power companies in 2015 and 2016The US Department of Energy separately warned in early 2020 that hackers targeted a US “energy entity” before Christmas in 2019.The consultation includes the IP address that was later matched with GRU unit 26165, such as First reported by WIRED last year“When I see GRU in the energy sector, I am always worried,” Hultquist said. Even so, he still sees simple espionage as a possible motive. “It is important to remember that Russia is an oil country. They have a huge interest in the energy sector. This will become part of their intelligence gathering requirements.”
Joe Slowik, head of intelligence at the security company Gigamon, believes that GRU’s brute force hacking may be “opportunistic” rather than targeted. He first discovered the link between the Department of Energy’s alert and GRU. He assumed that the team might simply have gained access to any network it could find, and then handed that access to other Kremlin hackers who performed more specific tasks (such as espionage or sabotage). “Their task is’to get to know the access points of the organizations we are interested in,'” Slovic said. “Then they will sit down or pass it on to the parties dealing with more intrusions based on whatever access rights they can show up.”