APT28, a state-sponsored Russian hacking group, is conducting large-scale attacks against governments and businesses across the globe, cyber agencies from the US and UK claim.
The warning was issued in a new security advisory, published jointly by four intelligence organizations: the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC).
According to the advisory, APT28 (also known as Fancy Bear) is working under the Russian General Staff Main Intelligence Directorate (GRU). It's allegedly using a Kubernetes cluster to conduct "widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide."
The advisory further states that the brute-force attack is just the first step in a multi-step campaign, the goal of which is to secure privilege escalation and remote code execution across the target networks.
It would seem the campaign has been active for roughly two years now. It remained mostly under the radar, until now, due to APT28’s cloaking abilities. As explained in the advisory, brute-forcing was kept hidden by using the Tor network and commercial VPN services such as Surfshark or NordVPN.
The group also carried out the attacks through different protocols, including HTTPS, IMAP, POP3 and NTLM. The fact that the attacks weren’t constantly coming from the same channels made detection somewhat harder.
“This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” Rob Joyce, NSA Director of Cybersecurity, told The Record.
“Net defenders should use multi-factor authentication and the additional mitigations in the advisory to counter this activity.”
- Here's our take on the best cloud hosting services right now