US, UK agencies say Russia is abusing Kubernetes to launch massive cyberattacks

Bad Bots
(Image credit: Gonin / Shutterstock)

Russian military intelligence has been abusing cloud infrastructure to launch attacks against hundreds of targets worldwide, say cybersecurity agencies from the US and UK.

An advisory released by a number of agencies, including the FBI and UK National Cybersecurity Centre (NCSC), claims the Russian General Staff Main Intelligence Directorate (GRU) is conducting brute-force password attacks against both private and public sector organizations.

Previously, these attacks had been blamed on threat actors such as Fancy Bear, APT28, Strontium and others, but the security agencies now believe they are directed by a GRU unit known as GTsSS.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

“The GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols,” the joint advisory explains.

Ongoing campaign

In their breakdown of the attacks, the agencies say GTsSS employs a Kubernetes cluster to break into private networks in order to access protected data, including email, and identify valid account credentials.

Commenting on the modus operandi, the advisory says the attackers target victims by using a combination of compromised account credentials and publicly known vulnerabilities, such as the ones recently discovered in Microsoft Exchange servers.

Furthermore, to obfuscate their origin, the attackers route their brute force authentication attempts through Tor and VPN services.

The joint statement comes not long after a meeting in Geneva between US President Joe Biden and his Russian counterpart Vladimir Putin. But the agencies believe the attacks “are almost certainly still ongoing.”

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.