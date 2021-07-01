



The massive effort has also targeted political parties, government offices, defense contractors, energy companies, think tanks, law firms, the media and academia, officials said.

The password cracking campaign, which officials say is almost certainly still ongoing, is part of a larger Russian GRU effort to collect information from a wide range of sensitive targets, said a joint opinion of the National Security Agency, FBI, Department of Homeland Security and GCHQ of the United Kingdom.

It differs from other Russian operations in cyberspace such as the SolarWinds campaign which was instead carried out by the Russian foreign intelligence service, the SVR, and relied on malicious code secretly embedded in trusted software rather than on direct attacks against user passwords.

This campaign, which involved attempts to crack the passwords of people affiliated with large organizations around the world, began in mid-2019 and although aspects of it have been made public, the US government has made it public. attributes to the Russian military intelligence agency, the GRU, for the first time this week.

The notice released Thursday does not specify how often these attacks were successful, but it does indicate that actors “used” the identified account credentials in conjunction with known vulnerabilities.

“The bread and butter of this group is the routine collection against policymakers, diplomats, the military and the defense industry and these types of incidents do not necessarily presage operations such as campaigning. hack and leak, ”according to John Hultquist, vice president of analysis. , Mandiant Threat Intelligence. “Despite our best efforts, it is highly unlikely that we will ever stop Moscow from spying.”

A high-profile example of the campaign leaked last September, when Microsoft said it detected attacks on passwords belonging to tens of thousands of accounts in some 200 organizations, many of which were involved in the US and UK elections. . At the time, Microsoft warned that the attacks posed a potential threat to electoral security ahead of the 2020 election.

A former U.S. official told CNN that the broader campaign identified by Thursday’s notice was unrelated to the election.

By repeatedly trying password combinations until they gained access, Russian agents sought to take control of the accounts of victims’ organizations, according to Thursday’s notice. The attackers also attempted to hide the source of their attacks by launching them behind virtual private networks and routing them through traffic anonymization services such as Tor, according to the advisory.

Once attackers gained access to a victim’s network, they sought to use other publicly known software flaws to breach accounts with strong network permissions and to steal email and other data. according to the notice.

The Russian campaign likely continues to this day, said Rob Joyce, NSA cybersecurity director.

“This long campaign of brute force to collect and exfiltrate data, access credentials and more, is probably underway, on a global scale,” he said.

To protect their networks, according to the advisory, organizations should require strong passwords, use multi-factor authentication, and block all inbound internet traffic from Tor and commercial VPN services.

