After the revelation of Russia's disastrous spy operation SolarWinds, the spotlight was turned on the sophisticated supply chain hijacking techniques used by foreign intelligence hackers. It is now clear that another group of hackers from the Kremlin has been operating throughout the SolarWinds spying campaign and its aftermath. They used basic, but effective, techniques to hack into virtually any network they could find in the US or the global Internet.The NSA, FBI, DHS's Cybersecurity and Infrastructure Security Agency and the UK's National Cybersecurity Centre issued a joint advisory on Thursday warning of hundreds of attempted brute force hacker intrusions across the globe. All were carried out by Unit 26165, Russia's military intelligence agency GRU, also known as Fancy Bear and APT28. This hacking campaign targeted many organizations including government agencies and military contractors, political parties, consultancies, logistics companies and energy companies, universities, law companies and media companies. This means that virtually every industry on the Internet is affected.These targets were hacked using relatively simple techniques, including guessing passwords and usernames in masses to gain access. Cybersecurity agencies warn that Fancy Bear has still managed to breach multiple entities and stolen emails from them.In a statement that was attached to the advisory, Rob Joyce, the director of cybersecurity at the NSA, wrote, "This long brute force campaign in order to collect and exfiltrate information, access credentials, and more is likely ongoing, and on a worldwide scale."AdvertisementMore than the SVR intelligence agency spies, the GRU's Unit 26165 has a history of disruptive hacking. Fancy Bear was responsible for hack-and-leak attacks on everyone, from the Democratic National Committee and Clinton Campaign in 2016, to the Olympic International Organization Committee as well as the Worldwide Anti-Doping Agency and the Olympic International Organization Committee. John Hultquist is vice president of security firm Mandiant. He has been a long-time GRU tracker and doesn't believe there is any evidence that the latest attempt's motives are beyond traditional espionage.Hultquist says that these intrusions don't necessarily prefigure the shenanigans we associate with the GRU. However, this doesn't necessarily mean that hacking campaigns aren't important. The joint advisory that names IP addresses and malware used to hacker's computers is viewed by him as an attempt to increase "friction" in an intrusion operation. It's a reminder that the GRU is still active, performing this type of activity. The joint advisory appears to be focusing on classic espionage targets such as policymakers, diplomats and the defense industry.This hacking campaign includes energy sector targets. This is especially concerning given that Sandworm, another GRU hacking team in the US, has been responsible for triggering actual blackouts in Ukraine in 2015 and 2016. In early 2020, the Department of Energy warned that hackers had attacked a US "energy entity" in the days before Christmas 2019. This advisory contained IP addresses that were later linked to GRU Unit 26165. WIRED first reported this information last year. Hultquist says, "Im always worried when I see GRU within the energy space." Hultquist still believes simple espionage is a motive. It's important to keep in mind that Russia is a petro-state. They are very interested in the energy sector. This will be part of their intelligence gathering requirements."Joe Slowik, who heads intelligence at security firm Gigamon, believes that the brute force hacking by the GRU may be more opportunistic than targeted. Slowik first noticed the link between the Department of Energy alerts and the GRU. He suggests that the team could simply be trying to gain access to every network it can before passing that access on to other Kremlin hackers, such as espionage and disruption. Slowik says that they are given the task of "go forth and obtain points of access in organizations interested." They either keep it for themselves or give it to others who can handle more involved intrusions based on what access they are able to find.AdvertisementSlowik states that the breadth of this "scattershot” campaign shows how the GRU might be increasing its access attempts. Kubernetes is a virtualization and automation tool used by hackers, according to the advisory. This appears to be a new technique to spin up virtual machines faster for their intrusion attempts. Slowik says that the GRU's hacking is still somewhat "deniable" by using simple techniques, both state-sponsored hackers and cybercriminal hackers. Network operators would not be able to tell the difference between the probes and other hacking attempts if it weren't for the advisory from government agencies linking it to GRU.The latest news about Russian hacking may seem to be an insult to US diplomatic efforts, especially after a meeting between Joe Biden, the US president, and Vladimir Putin, the Russian president. This summit was held partly to ease tensions over Russia’s SolarWinds spying campaign. Biden had already identified 16 areas of US critical infrastructure as being off limits to any hacking operation, including the energy sector.It is not clear if the GRU's massive brute-force campaign against sensitive infrastructure targets was successful in piercing these targets, or if they were launched after the summit. John Hultquist, Mandiant, argues that no meeting between Biden or Putin, nor any diplomatic measures, will ever stop the endless cat-and mouse game of espionage.Does this mean that Russia has already fallen apart? Hultquist states that there is nothing we can do to make Moscow stop spying. It is not possible. We will continue to live in a world in which the Russians collect intelligence. This will always include cyber capabilities.This story originally appeared on wired.com.
