NSA Says Russia Used 'Brute Force' Methods to Guess Passwords, Gain Access to Gov. Agencies

Intelligence agencies in the U.S. and Britain released findings on Thursday detailing how Russian operatives used "brute force" to gain entry into government cloud services used by hundreds of agencies, energy companies and other organizations.

The U.S. National Security Agency (NSA) released an advisory saying that the attacks were linked to the GRU, the Russian military intelligence agency, which has also been tied to major international cyberattacks and attempts to compromise the 2016 and 2020 U.S. elections.

The attacks involve automated "spraying" of sites with potential passwords until hackers get inside. The NSA advisory said companies should implement common-sense cyberhygiene methods like multifactor authentication and strong passwords.

Putin
Hacking methods used by Russian intelligence were disclosed by the U.S. National Security Agency on Thursday. Above, Russian President Vladimir Putin attends his annual live call-in show on Thursday in Moscow. Sergei Savostyanov, Sputnik, Kremlin Pool Photo/via AP

For more reporting from the Associated Press, see below:

Issued during a devastating wave of ransomware attacks on governments and key infrastructure, the advisory does not disclose specific targets of the campaign or its presumed purpose, saying only that hackers have targeted hundreds of organizations worldwide. In a statement, NSA Cybersecurity Director Rob Joyce said the campaign was "likely ongoing, on a global scale."

The NSA says GRU-linked operatives have tried to break into networks using Kubernetes, an open-source tool originally developed by Google to manage cloud services, since at least mid-2019 through early this year. While a "significant amount" of the attempted break-ins targeted organizations using Microsoft's Office 365 cloud services, the hackers went after other cloud providers and email servers as well, the NSA said.

The U.S. has long accused Russia of using and tolerating cyberattacks for espionage, spreading disinformation, and the disruption of governments and key infrastructure. The Russian Embassy in Washington did not immediately respond to a request for comment Thursday.

Joe Slowik, a threat analyst at the network-monitoring firm Gigamon, said the activity described by NSA on Thursday shows the GRU has further streamlined an already popular technique for breaking into networks. He said it appears to overlap with Department of Energy reporting on brute-force intrusion attempts in late 2019 and early 2020 targeting the U.S. energy and government sectors and is something the U.S. government has apparently been aware of for some time.

Slowik said the use of Kubernetes "is certainly a bit unique, although on its own it doesn't appear worrying." He said the brute-force method and lateral movement inside networks described by NSA are common among state-backed hackers and criminal ransomware gangs, allowing the GRU to blend in with other actors.

The FBI and the Cybersecurity and Infrastructure Security Agency joined the advisory, as did the British National Cyber Security Centre.

The GRU has been repeatedly linked by U.S. officials in recent years to a series of hacking incidents. In 2018, special counsel Robert Mueller's office charged 12 military intelligence officers with hacking Democratic emails that were then released by WikiLeaks in an effort to harm Hillary Clinton's presidential campaign and boost Donald Trump's bid.

More recently, the Justice Department announced charges last fall against GRU officers in cyberattacks that targeted a French presidential election, the Winter Olympics in South Korea and American businesses.

Unlike Russia's foreign intelligence agency SVR, which is blamed for the SolarWinds hacking campaign and is careful not to be detected in its cyber ops, the GRU has carried out the most damaging cyberattacks on record, including two on Ukraine's power grid and the 2017 NotPetya virus that caused more than $10 billion in damage globally.

GRU operatives have also been involved in the spread of disinformation related to the coronavirus pandemic, U.S. officials have alleged. And an American intelligence assessment in March says the GRU tried to monitor people in U.S. politics in 2019 and 2020 and staged a phishing campaign against subsidiaries of the Ukrainian energy company Burisma, likely to gather information damaging to President Joe Biden, whose son had earlier served on the board.

The Biden administration in April sanctioned Russia after linking it to election interference and the SolarWinds breach.

Putin Kremlin
Russian President Vladimir Putin attends a session of the 8th Forum of Regions of Belarus and Russia via video link at the Kremlin on July 1. ALEXEY NIKOLSKY/Sputnik/AFP/Getty Images