Widespread Brute-Force Attacks Tied to Russia’s APT28
US and UK authorities have declared that a known advanced threat actor, APT28, also referred to as Fancy Bear or Strontium, has been tied to a range of brute-force password spraying attacks against hundreds of government and private sector targets worldwide, including European governments and military. The joint alert was issued last Thursday by the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the FBI, and the UK’s National Cyber Security Centre. The advisory attributes the campaign to the APT group, which has suspected ties to the General Staff Main Intelligence Directorate (GRU) within Russia’s military intelligence. The attacks began as early as mid-2019 and have continued through 2021, according to the advisory. The statement also asserts that the campaign is likely ongoing.
According to the intelligence agencies, once the threat actors obtain valid credentials, they are utilized for initial access, persistence, privilege escalation, defense evasion, and other malicious activities. The actors are combining the passwords with exploits of publicly known vulnerabilities, according to the advisory, such as one found in the control panel of Microsoft’s Exchange Server. After gaining initial remote access, the group deploys a slew of tactics that are designed to gain lateral movement, evade defenses, and uncover more information.