Home News Russia-based APT28 Linked to Mass Brute-force Attacks Against Cloud Networks

Russia-based APT28 Linked to Mass Brute-force Attacks Against Cloud Networks

Federal agencies of the U.S. and the U.K. have warned about a series of brute-force attacks led by the Russia-linked APT28 cybercriminal gang, which has multiple identities such as Fancy Bear, Sednit, Tsar Team and STRONTIUM


State-sponsored actors from Russia have a long history of cyberattacks across the world. There are numerous cyberespionage campaigns linked to Russian hackers. Recently, the federal agencies of the U.S. and the U.K. warned about a series of brute-force attacks led by the Russia-linked APT28 cybercriminal gang.

In a joint report, the agencies stated the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, leveraged a Kubernetes cluster to perform a set of brute-force attacks against hundreds of private and public entities across the globe from mid-2019 to early 2021. APT28 is reportedly attributed GTsSS and has multiple identities, including Fancy Bear, Sednit, Tsar Team and STRONTIUM.

Exploiting Microsoft Services

The threat actors launched brute-force attempts against organizations using Microsoft Office 365 cloud services. In a brute-force attack, attackers try to guess usernames and passwords to gain unauthorized access to a targeted source by the trial-and-error method. The attack allows hackers to obtain access to users’ private data, including email account credentials, which actors use for multiple purposes such as initial access, persistence, privilege escalation, and defense evasion.

APT28 threat actors reportedly exploited publicly known vulnerabilities – CVE 2020-0688 and CVE 2020-17144 – in Microsoft Exchange servers for remote code execution and to get privileged access to targeted networks. To hide their criminal activities, they used the TOR platform and VPN services like IPVanish, CactusVPN, WorldVPN, NordVPN, ProtonVPN, and Surfshark.

Sectors Targeted

  • Government and Military services
  • Political and party organizations
  • Defense contractors
  • Energy companies
  • Logistics companies
  • Think tanks
  • Higher education institutions
  • Law firms
  • Media firms

“This campaign has already targeted hundreds of U.S. and foreign organizations worldwide, including U.S. government and Department of Defense entities. While the sum of the targeting is global in nature, the capability has predominantly focused on entities in the U.S. and Europe,” the report said. 

Mitigating Brute-force Attacks

Security admins can boost the security posture of their organization by following certain basic measures. These include:

  • Adopting two-factor or multi-factor authentication
  • Using strong passwords that include numbers, symbols, and both uppercase and lowercase letters
  • Changing all default credentials
  • Implementing a Zero Trust security model to detect anonymous intrusions
  • Restricting access to authentication URLs
  • Enabling CAPTCHA feature for authentication
  • Enabling account lockout option, after multiple wrong login attempts