For months, Russian military hackers have engaged during a campaign to compromise the passwords of individuals employed in sensitive jobs at many organizations worldwide including US and European government and military agencies, US and British national security officials said Thursday.
The extensive effort also targeted political parties, government offices, defense contractors, energy companies, think tanks, law firms, media outlets and universities, the officials said.
The password-hacking campaign, which official believe is nearly certainly still ongoing, is a component of a broader effort by Russia’s GRU to gather information from a good range of sensitive targets, said a joint advisory by the National Security Agency, the FBI, the Department of Homeland Security and therefore the UK’s GCHQ.
FBI director sees ‘parallels’ between challenge posed by ransomware attacks and 9/11
It is distinct from other Russian operations in cyberspace like the SolarWinds campaign — which was instead administered by Russia’s foreign intelligence , the SVR, and relied on malicious code secretly embedded in trusted software instead of direct attacks on user passwords.
This campaign, which involved attempts to interrupt the passwords of individuals affiliated with major organizations worldwide, began in mid-2019 and while aspects of it are publicly reported, the United States government is attributing it to Russia’s military intelligence , the GRU, for the primary time in the week .
The advisory released Thursday doesn’t specify how often these attacks were successful, but it does say that the actors “have used” identified account credentials in conjunction with known vulnerabilities.
“The bread and butter of this group is routine collection against policy makers, diplomats, the military, and therefore the defense industry and these kinds of incidents don’t necessarily presage operations like hack and leak campaigns,” consistent with John Hultquist, VP of study , Mandiant Threat Intelligence. “Despite our greatest efforts we are impossible to ever stop Moscow from spying.”
One high-profile example of the campaign was disclosed last September, when Microsoft said it had detected attacks on passwords belonging to tens of thousands of accounts at some 200 organizations, many of which were involved in US and UK elections. At the time, Microsoft warned that the attacks represented a possible election security threat before the 2020 elections.
A former US official told CNN the broader campaign identified by Thursday’s advisory wasn’t tied to elections.
By repeatedly trying password combinations until they achieved access, Russian agents sought to realize control of accounts at victim organizations, Thursday’s advisory said. The attackers also tried to cover the source of their attacks by launching them from behind virtual private networks and by routing them through traffic-anonymizing services like Tor, the advisory said.
Once the attackers gained access to a victim network, they sought to use other publicly known software flaws to breach accounts with high-powered network permissions and to steal emails and other data, consistent with the advisory.
The Russian campaign likely continues to the present day, said Rob Joyce, NSA’s director of cybersecurity.
“This lengthy brute force campaign to gather and exfiltrate data, access credentials and more, is probably going ongoing, on a worldwide scale,” he said.
To protect their networks, the advisory said, organizations should require strong passwords, use multi-factor authentication and block all incoming internet traffic from Tor and commercial VPN services.