It is distinct from other Russian operations in cyberspace such as the SolarWinds campaign
— which was instead carried out by Russia’s foreign intelligence service, the SVR, and relied on malicious code secretly embedded in trusted software rather than direct attacks on user passwords.
This campaign, which involved attempts to break the passwords of people affiliated with major organizations worldwide, began in mid-2019 and while aspects of it have been publicly reported, the US government is attributing it to Russia’s military intelligence agency, the GRU, for the first time this week.
The advisory released Thursday does not specify how often these attacks were successful, but it does say that the actors “have used” identified account credentials in conjunction with known vulnerabilities.
“The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns,” according to John Hultquist, VP of Analysis, Mandiant Threat Intelligence. “Despite our best efforts we are very unlikely to ever stop Moscow from spying.”
One high-profile example of the campaign was disclosed last September
, when Microsoft said it had detected attacks on passwords belonging to tens of thousands of accounts at some 200 organizations, many of which were involved in US and UK elections. At the time, Microsoft warned that the attacks represented a potential election security threat ahead of the 2020 elections.
A former US official told CNN the wider campaign identified by Thursday’s advisory was not tied to elections.
By repeatedly trying password combinations until they achieved access, Russian agents sought to gain control of accounts at victim organizations, Thursday’s advisory said. The attackers also tried to hide the source of their attacks by launching them from behind virtual private networks and by routing them through traffic-anonymizing services such as Tor, the advisory said.
Once the attackers gained access to a victim network, they sought to use other publicly known software flaws to breach accounts with high-powered network permissions and to steal emails and other data, according to the advisory.
The Russian campaign likely continues to this day, said Rob Joyce, NSA’s director of cybersecurity.
“This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” he said.
To protect their networks, the advisory said, organizations should require strong passwords, use multi-factor authentication and block all incoming internet traffic from Tor and commercial VPN services.