The discovery of Russia is devastating SolarWinds Spy Campaign focus on the sophisticated supply chain diversion techniques of foreign intelligence hackers from Moscow. But it is now evident that throughout this SolarWinds spying and its fallout, another group of Kremlin hackers kept up with their usual daily grind, using basic but often effective techniques to open up virtually any vulnerable network they could find in the United States and on the internet around the world. .
On Thursday, the NSA, FBI, DHS Cybersecurity and Infrastructure Security Agency and the UK’s National Cybersecurity Center released a joint council warning of hundreds of hacker intrusion attempts around the world, all carried out by unit 26165 of the Russian military intelligence agency GRU, also widely known as the Fancy Bear or APT28. The hacking campaign targeted a wide range of organizations, including government and military agencies, defense contractors, political parties and consultancies, logistics companies, energy companies, universities, law firms and media companies. In other words, virtually all areas of interest on the Internet.
The hack campaign used relatively basic techniques against these targets, mass guessing usernames and passwords to gain initial access. But cybersecurity agencies warn that the Fancy Bear campaign has nonetheless managed to break through several entities and exfiltrate emails, and that is not over. “This long campaign of brute force to collect and exfiltrate data, access credentials and more, is likely underway, globally,” wrote NSA cybersecurity director Rob Joyce in a press release accompanying the notice.
GRU Unit 26165, more than the SVR intelligence agency spies who led the SolarWinds campaign, has a highly disruptive hacking history. Fancy Bear was behind the hack and leak operations that have targeted everyone from the Democratic National Committee and the Clinton campaign in 2016 at International Olympic Organizing Committee and World Anti-Doping Agency. But there is still no reason to believe that the intentions of this latest effort go beyond traditional espionage, says John Hultquist, vice president of security firm Mandiant and longtime GRU tracker.
“These intrusions don’t necessarily portend shenanigans we think of when we think of the GRU,” Hultquist explains. But that doesn’t mean the hacking campaign isn’t important. He sees the joint advisory, which names IP addresses and malware used by hackers, as an attempt to add “friction” to a successful intrusion operation. “It’s a good reminder that the GRU is still out there, carrying out this kind of activity, and it seems to be focusing on more classic espionage targets like policymakers, diplomats and the defense industry. . “
The inclusion of targets from the energy sector in this hacking campaign raises an additional red flag, especially since another GRU hacking team, Sandworm, remains the only hacker to have triggered real blackouts, sabotage of Ukrainian electric utilities in 2015 and 2016. The Department of Energy gave a separate warning in early 2020 that hackers targeted an American “energy entity” just before Christmas in 2019. This notice included IP addresses that were later associated with GRU 26165, such as first reported by WIRED last year. “I’m always worried when I see GRU in the energy business,” Hultquist says. Even so, he still sees simple espionage as a likely motivation. “It’s important to remember that Russia is a petro-state. They’re very interested in the energy sector. This will be part of their intelligence gathering requirements.”
The GRU’s brute-force hack may be ‘opportunistic’ rather than targeted, argues Joe Slowik, who heads intelligence at security firm Gigamon and first spotted the link between the Energy Ministry alert and the GRU. He postulates that the team can simply access any network they can find before passing that access to other Kremlin hackers with more specific missions, like espionage or disruption. “They are responsible for ‘going ahead and providing us with access points in organizations of interest,’” says Slowik. “Then they either sit on it or pass it on to parties that deal with more involved intrusions, depending on how much access they can find.”