[BreachExchange] US and UK issue rare joint guidance in response to Russian GRU brute force campaign

[Sophia Kingsbury]

https://www.csoonline.com/article/3624008/us-and-uk-issue-rare-joint-guidance-in-response-to-russian-gru-brute-force-campaign.html#tk.rss_news

The United States and the United Kingdom cyber and law enforcement entities
(NSA, FBI, CISA and NCSC) have joined forces to protect enterprises in
their respective nations and the globe, with the July 1 issuance of
defensive guidance regarding Russian the intelligence service’s targeting
and attack methodologies. While bilateral sharing of information between
the US and UK intelligence services occurs daily, the public sharing of
their joint perspective and guidance is especially noteworthy and should be
taken on board by every CISO, regardless of company size.

Russian GRU global brute force campaign

The report, Russian GRU Global Brute Force Campaign, notes since at least
mid-2019 through early 2021, the Russian GRU’s (military intelligence) Unit
26165 has used a “Kubernetes cluster to conduct widespread, distributed,
and anonymized brute force access attempts against hundreds of government
and private sector targets worldwide.” The cybersecurity world has
previously identified the efforts of Unit 26165 with the monikers Fancy
Bear, APT28, and Strontium.

When the attack is successful, the report said, the adversary can “access
protected data, including email, and identify valid account credentials.”

They then use the credentials to move laterally within the targeted entity,
collecting data, establishing additional footholds, and perhaps most
importantly from the adversary’s perspective, evade detection.

The report detailed how the targeting efforts of Unit 26165, while global,
have focused primarily on the United States and Europe and included the
energy, logistics, academia, research, media, legal, defense, and
government sectors. They also targeted political parties, organizations,
and consultants.

Security guidance for network managers

The report is unambiguous in its guidance to network managers and those
charged with the protection of data and infrastructure:

   - Expand usage of multi-factor authentication using strong
   authentication factors that are not guessable.
   - Use time-out and lock-out features. Increase time-out after each fail
   and lock out after multiple failed attempts to access network resources.
   - Mandate strong password usage that directly addresses brute force
   dictionary or guessing attacks.
   - Embrace zero trust security including least-privileged access and
   segmenting networks.
   - Deny inbound activity from anonymization services such as Tor and
   commercial VPNs. (CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark and
   WorldVPN are all identified by name.)

GRU Unit 26165

This is not the first time GRU Unit 26165 has been highlighted in a
government bulletin or advisory. Indeed, the window of activity, mid-2019
through early 2021, might lead some to believe these activities by GRU Unit
26165 are new, but nothing could be further from the truth. The GRU and its
robust offensive cyber capabilities have been engaged in cyberattacks and
penetrations or many years. Examples include the 2016 US elections, the
2014 Winter Olympics in Sochi, and the 2020 advisory for “Malware:
Drovorub.”

U.S. election: Almost exactly three years ago, the US Department of Justice
announced the grand jury indictment of 12 Russian intelligence officers for
offenses related to the 2016 election—hacking the Democratic National
Committee, the presidential campaign of Hillary Clinton and the Democratic
Congressional Campaign Committee. The entity then went on to publish
portions of the stolen content via a fictitious Romanian, Guccifer 2.0.

Winter Olympics: In October 2018, a separate grand jury issued an
indictment of seven Russian intelligence officers concerning Russia’s
state-sponsored athlete doping program. The indictment notes how from 2014
through 2018, GRU Unit 26165 played a key part in the Russia efforts to
adjust the narrative and Unit 26165 “conducted persistent and sophisticated
computer intrusions affecting US persons, corporate entities, international
organizations, and their respective employees.”

Drovorub: In August 2020, the NSA and FBI issued a bulletin concerning Unit
26165 deployment of malware called Drovorub, which targeted Linux systems
as part of a cyber-espionage activity.

CISOs, use this guidance with your C-suite

CISOs should recognize that this guidance is neither new nor difficult to
implement. The recommendations could be pulled from network security 101.
This does not diminish the importance of the joint guidance. Rather, it
serves to highlight the current state of play. The multiple agencies are
publicly sharing their guidance. The fact is, adversaries continue to be
successful because information security implementation, maintenance, and
governance is uneven and within some entities poorly implemented.

That said, CISOs should use this guidance with the C-Suite as a
demonstrable tool to garner resources for information security teams to
successfully muscle through resistance to the need to resource information
security. We must engage in defensive actions to make it too costly or
difficult for the adversary to be successful and have a plan in place to
mitigate those instances when the adversary is successful.

GRU Unit 26165 isn’t going to pack up shop; they are in it for the
long-haul. What they can be expected to do is change their tactics. Their
targeting, however, won’t change: You are the target.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210702/ec0f3f4e/attachment.html>