Russian military intelligence has been abusing cloud infrastructure to launch attacks against hundreds of targets worldwide, say cybersecurity agencies from the US and UK.
An advisory released by a number of agencies, including the FBI and UK National Cybersecurity Centre (NCSC), claims the Russian General Staff Main Intelligence Directorate (GRU) is conducting brute-force password attacks against both private and public sector organizations.
Previously, these attacks had been blamed on threat actors such as Fancy Bear, APT28, Strontium and others, but the security agencies now believe they are directed by a GRU unit known as GTsSS.
- Protect your devices with these best antivirus software
- These are the best data loss prevention services right now
- Check our list of the best firewall apps and services
“The GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols,” the joint advisory explains.
Ongoing campaign
In their breakdown of the attacks, the agencies say GTsSS employs a Kubernetes cluster to break into private networks in order to access protected data, including email, and identify valid account credentials.
Commenting on the modus operandi, the advisory says the attackers target victims by using a combination of compromised account credentials and publicly known vulnerabilities, such as the ones recently discovered in Microsoft Exchange servers.
Furthermore, to obfuscate their origin, the attackers route their brute force authentication attempts through Tor and VPN services.
The joint statement comes not long after a meeting in Geneva between US President Joe Biden and his Russian counterpart Vladimir Putin. But the agencies believe the attacks “are almost certainly still ongoing.”
- Check our list of the best cloud computing services available right now
