Security agencies in the United States and the United Kingdom are warning about an ongoing large-scale campaign involving brute-force attacks aimed at government entities and private companies worldwide.
In a joint report the NSA, CISA, FBI and the UK’s National Cyber Security Centre (NCSC) said the Russia-linked APT28 (aka Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team) has been behind the campaign, which has been ongoing since at least 2019.
According to the agencies, the hackers targeted hundreds of organizations, primarily in the US and Europe, using brute force access to breach government and private sector victim networks. Targeted organizations include government and military, political consultants and parties, defense contractors, energy firms, logistics companies, think tanks, universities, law firms and media companies.
“Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords,” the agencies said.
The APT28 group mainly targeted organizations using Microsoft Office 365 cloud services, along with targets using other service providers and on-premises email servers.
The brute-force attacks have been combined with exploitation of known vulnerabilities in Microsoft Exchange server (CVE 2020-0688 and CVE 2020-17144) for remote access and further access to target networks.
To conceal their activities the cyberespionage group used the TOR network and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.
The report also provides indicators of compromise (IoCs) related to the brute-force attacks conducted by the APT28, as well as Yara rules and mitigations.