The United States and the United Kingdom cyber and law enforcement entities (NSA, FBI, CISA and NCSC) have joined forces to protect enterprises in their respective nations and the globe, with the July 1 issuance of defensive guidance regarding Russian the intelligence service’s targeting and attack methodologies.
While bilateral sharing of information between the US and UK intelligence services occurs daily, the public sharing of their joint perspective and guidance is especially noteworthy and should be taken on board by every CISO, regardless of company size.
Russian GRU global brute force campaign
The report, Russian GRU Global Brute Force Campaign, notes since at least mid-2019 through early 2021, the Russian GRU’s (military intelligence) Unit 26165 has used a “Kubernetes cluster to conduct widespread, distributed, and anonymised brute force access attempts against hundreds of government and private sector targets worldwide.”
The cyber security world has previously identified the efforts of Unit 26165 with the monikers Fancy Bear, APT28, and Strontium.
When the attack is successful, the report said, the adversary can “access protected data, including email, and identify valid account credentials.”
They then use the credentials to move laterally within the targeted entity, collecting data, establishing additional footholds, and perhaps most importantly from the adversary’s perspective, evade detection.
The report detailed how the targeting efforts of Unit 26165, while global, have focused primarily on the United States and Europe and included the energy, logistics, academia, research, media, legal, defence, and government sectors. They also targeted political parties, organisations, and consultants.
Security guidance for network managers
The report is unambiguous in its guidance to network managers and those charged with the protection of data and infrastructure:
- Expand usage of multi-factor authentication using strong authentication factors that are not guessable.
- Use time-out and lock-out features. Increase time-out after each fail and lock out after multiple failed attempts to access network resources.
- Mandate strong password usage that directly addresses brute force dictionary or guessing attacks.
- Embrace zero trust security including least-privileged access and segmenting networks.
- Deny inbound activity from anonymisation services such as Tor and commercial VPNs. (CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark and WorldVPN are all identified by name.)
GRU Unit 26165
This is not the first time GRU Unit 26165 has been highlighted in a government bulletin or advisory. Indeed, the window of activity, mid-2019 through early 2021, might lead some to believe these activities by GRU Unit 26165 are new, but nothing could be further from the truth.
The GRU and its robust offensive cyber capabilities have been engaged in cyber attacks and penetrations or many years. Examples include the 2016 US elections, the 2014 Winter Olympics in Sochi, and the 2020 advisory for “Malware: Drovorub.”
U.S. election: Almost exactly three years ago, the US Department of Justice announced the grand jury indictment of 12 Russian intelligence officers for offenses related to the 2016 election—hacking the Democratic National Committee, the presidential campaign of Hillary Clinton and the Democratic Congressional Campaign Committee. The entity then went on to publish portions of the stolen content via a fictitious Romanian, Guccifer 2.0.
Winter Olympics: In October 2018, a separate grand jury issued an indictment of seven Russian intelligence officers concerning Russia’s state-sponsored athlete doping program.
The indictment notes how from 2014 through 2018, GRU Unit 26165 played a key part in the Russia efforts to adjust the narrative and Unit 26165 “conducted persistent and sophisticated computer intrusions affecting US persons, corporate entities, international organisations and their respective employees.”
Drovorub: In August 2020, the NSA and FBI issued a bulletin concerning Unit 26165 deployment of malware called Drovorub, which targeted Linux systems as part of a cyber espionage activity.
CISOs, use this guidance with your C-suite
CISOs should recognise that this guidance is neither new nor difficult to implement. The recommendations could be pulled from network security 101. This does not diminish the importance of the joint guidance. Rather, it serves to highlight the current state of play. The multiple agencies are publicly sharing their guidance.
The fact is, adversaries continue to be successful because information security implementation, maintenance, and governance is uneven and within some entities poorly implemented.
That said, CISOs should use this guidance with the C-Suite as a demonstrable tool to garner resources for information security teams to successfully muscle through resistance to the need to resource information security. We must engage in defensive actions to make it too costly or difficult for the adversary to be successful and have a plan in place to mitigate those instances when the adversary is successful.
GRU Unit 26165 isn’t going to pack up shop; they are in it for the long-haul. What they can be expected to do is change their tactics. Their targeting, however, won’t change: You are the target.