American intelligence and law enforcement agencies have pointed the finger at a Kremlin-backed hacking crew for a two-year campaign to break into Microsoft Office 365 accounts.
The NSA, FBI and DHS, in a joint report with U.K. intelligence, placed the blame for the widespread “brute force” attacks on Fancy Bear, a group best known for its breach of the Democratic National Committee in the lead up to the 2016 Presidential Elections. Brute force attacks see repeated attempts to guess the usernames and passwords for email and cloud accounts.
The agencies claimed Fancy Bear was really the 85th Main Special Service Center (GTsSS), a unit within the Russian General Staff Main Intelligence Directorate (GRU) and that it had been carrying out its brute force attempts on multiple sectors including government and military departments, defense contractors, political parties, energy companies and media organizations. Most targets were based in the U.S. and Europe.
“These efforts are almost certainly still ongoing,” the joint statement read. “This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.”
Rob Joyce, the NSA’s director of cybersecurity, added: “This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale.”
Neither Microsoft nor the Russian embassy in London had responded to requests for comment at the time of publication.
Fancy Bear employed so-called “password spraying,” where computers try as many login attempts on a given system as quickly as possible. The computers would route their traffic through virtual private networks or the Tor network, both of which hide the original IP address of a system by sending it through a variety of servers. They did this by using Kubernetes, an open-source technology originally developed by Silicon Valley tech giant Google for automating computer operations, according to the U.S. report.
The government is recommending that users of Microsoft 365 and other targeted cloud products use multi-factor authentication, where a one-time code is required to be let into an account alongside the username and password. It is also suggesting that when repeated attempts to get into an account fail, the user should either be locked out or put on a delay before they can try again.
The accusations come on the heels of President Biden’s meeting with Vladimir Putin, in which the U.S. leader called on his Russian counterpart to help America stem the flow of devastating cyberattacks hitting organizations across the globe. Most notably, thefts of U.S. government agency emails via a breach of IT supplier SolarWinds, and the ransomware attacks on gas giant Colonial Pipeline and beef supplier JBS, have caused alarm in recent months.
John Hultquist, vice president of intelligence analysis at cybersecurity company FireEye, said that the latest attacks appear to be one of Fancy Bear’s “classic military intel mission that is their main focus.”
“Their bread and butter is the good old fashioned spy vs. spy activity that’s been carried over into the cyber arena,” Hultquist added. He raised concerns about the potential for the group to target the upcoming Olympic Games in Japan, as Russia had previously been linked to attacks on the 2018 Winter Olympics in South Korea.
As for why U.S. intelligence is now calling out Russia, Hultquist, a former intel analyst, said he believed the government was “trying to be consistent in keeping the heat up on these guys. Part of their approach is to add friction to their activities.
“Like a lot of these approaches, it’s imperfect but it’s something that we can do to slow them down.”