US, UK accuse Russian military hackers of battering-ram password attacks against hundreds of targets

The targets of Fancy Bear's brute force attacks include both government agencies and the private sector, the advisory alleges.
General view of the Norwegian Parliament is seen on October 13, 2020 as the Norwegian Government said it believes that Russia is behind a cyberattack on the Norwegian Parliament, in Oslo, Norway. (Photo by ORN E. BORGEN/NTB/AFP via Getty Images)

For two years, Russian military hackers have been bombarding hundreds of targets worldwide with passwords to gain access to their networks, making use of a popular open-source tool for managing application workloads, U.S. and U.K. agencies warned in an advisory Thursday.

The Russian agency deploys a Kubernetes cluster — a set of worker machines — to conduct their brute force “password spray” attacks that guess commonly-used passwords to get into target networks, according to the advisory from the National Security Agency, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the U.K.’s National Cyber Security Centre.

It’s the alleged handiwork of Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, military unit 26165. The hackers, often described as Fancy Bear or APT28, have been blamed for a number of high profile intrustions, most prominently for interference in the 2016 U.S. presidential election.

The battering-ram password attacks began as early as mid-2019 and are likely continuing, the agencies assert, with the intent of collecting and stealing data. Targets include government and military organizations, political consultants and party organizations, defense contractors, energy companies, logistics companies, think tanks, higher education institutions, law firms and media companies.


The advisory provides additional insights into a group of hackers that isn’t effective due to its subtlety or sophistication so much as its crude aggression. It also expands on accusations of brute-force methods the attackers allegedly used last year to breach the Norwegian parliament and break into an unnamed U.S. federal agency.

“This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” said Rob Joyce, NSA’s director of cybersecurity. “Net defenders should use multi-factor authentication and the additional mitigations in the advisory to counter this activity.”

The Russians direct most of their attacks at organizations using Microsoft Office 365 cloud services, the advisory says. They sometimes combine the use of identified account credentials with known vulnerabilities for remote access, which they then use to move around in systems, evade defense and siphon up more data.

To hide its activity, the Kubernetes cluster usually routes brute force attempts through the Tor anonymity software and commercial virtual private network services, the advisory reads.

The alert is part of a series of NSA, CISA and FBI warnings aimed at helping would-be victims, but also signaling to Russia that the U.S. is capable of detecting its hackers’ work. Russia has issued blanket denials against U.S. allegations of malicious activity in cyberspace.

Latest Podcasts