The discovery of Russia’s devastating SolarWinds spy campaign put the spotlight on the sophisticated supply chain hijacking techniques of Moscow’s foreign intelligence hackers. But it’s now apparent that, throughout that SolarWinds spying and its fallout, another group of Kremlin hackers has kept up up their usual daily grind, using basic but often effective techniques to pry open practically any vulnerable network they could find across the US and the global Internet.
On Thursday the NSA, the FBI, the DHS’s Cybersecurity and Infrastructure Security Agency, and the UK’s National Cybersecurity Centre issued a joint advisory warning of hundreds of attempted brute-force hacker intrusions around the world, all carried out by Unit 26165 of Russia’s GRU military intelligence agency, also widely known as Fancy Bear or APT28. The hacking campaign has targeted a broad swath of organizations, including government and military agencies, defense contractors, political parties and consultancies, logistics companies, energy firms, universities, law firms, and media companies. In other words, practically every sector of interest on the Internet.
The hacking campaign has used relatively basic techniques against those targets, guessing usernames and passwords en masse to gain initial access. But cybersecurity agencies warn that the Fancy Bear campaign has nonetheless successfully breached multiple entities and exfiltrated emails from them—and that it’s not over.
“This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” the NSA’s director of cybersecurity Rob Joyce wrote in a statement accompanying the advisory.
The GRU’s Unit 26165, more than the SVR intelligence agency spies who carried out the SolarWinds campaign, have a history of highly disruptive hacking. Fancy Bear was behind the hack-and-leak operations that have targeted everyone from the Democratic National Committee and Clinton Campaign in 2016 to the Olympic International Organization Committee and the Worldwide Anti-Doping Agency. But there’s not yet any reason to believe that this latest effort’s intentions go beyond traditional espionage, says John Hultquist, vice president at security firm Mandiant and a longtime GRU tracker.
“These intrusions don’t necessarily presage the shenanigans that we think of when we think of the GRU,” says Hultquist. But that doesn’t mean that the hacking campaign isn’t significant. He sees the joint advisory, which names IP addresses and malware used by the hackers, as an attempt to add “friction” to a successful intrusion operation. “It’s a good reminder that GRU is still out there, carrying out this kind of activity, and it appears to be focused on more classic espionage targets like policymakers, diplomats, and the defense industry.”
The inclusion of energy sector targets in that hacking campaign raises an extra red flag, especially given that another GRU hacking team, Sandworm, remains the only hackers ever to trigger actual blackouts, sabotaging Ukrainian electric utilities in 2015 and 2016. The Department of Energy separately warned in early 2020 that hackers had targeted a US “energy entity” just before Christmas in 2019. That advisory included IP addresses that were later matched with GRU Unit 26165, as first reported by WIRED last year. “I’m always concerned when I see GRU in the energy space,” says Hultquist. Even so, he still sees simple espionage as a likely motivation. “It’s important to remember Russia is a petro state. They have a massive interest in the energy sector. That’s going to be part of their intelligence collection requirements.”
The GRU’s brute-force hacking may be “opportunistic” rather than targeted, argues Joe Slowik, who leads intelligence at security firm Gigamon and first spotted the connection between the Department of Energy alert and the GRU. He posits that the team may simply be gaining access to any network it can find before passing off that access to other Kremlin hackers with more specific missions, like espionage or disruption. “They’re tasked with ‘go forth and get us points of access in organizations of interest,'” says Slowik. “Then they sit on it or pass it on to parties who take care of more-involved intrusions, based on whatever access they’re able to turn up.”
The breadth of that “scattershot” campaign, however, shows how the GRU may be scaling up its access attempts, Slowik says. The advisory notes, for instance, that the hackers used Kubernetes, a server virtualization and automation tool. That appears to be a new trick to more efficiently spin up virtual machines to use in their intrusion attempts. And by sticking to simple techniques used by state-sponsored and cybercriminal hackers alike, the GRU’s hacking has remained somewhat “deniable,” Slowik adds. If it hadn’t been for the government agencies advisory linking it to the GRU, there’d be scant evidence for network operators to distinguish the probing from other hacking attempts.
In the wake of a meeting between US president Joe Biden and Russian president Vladimir Putin at a summit in Geneva, held partly to defuse tensions over Russia’s SolarWinds espionage campaign, the latest news of Russian hacking might appear to be a slap in the face to US diplomatic efforts. After all, Biden laid out for Putin 16 areas of US critical infrastructure that he designated as off-limits for any hacking operation—including the energy sector.
But it remains unclear which, if any, of those particularly sensitive infrastructure targets the GRU’s mass brute-force campaign might have penetrated, or if any occurred after the summit rather than prior to it. Regardless, Mandiant’s John Hultquist argues, no meeting between Biden and Putin—or any other diplomatic measure—will ever be able to stop the eternal cat-and-mouse game of espionage.
“Does this mean that things have already broken down with Russia? No, there’s nothing we could ever do to get Moscow to stop spying,” Hultquist says. “It’s just not going to happen. We will always live in a world where the Russians are collecting intelligence, and that will always include a cyber capability.”
This story first appeared on wired.com.