Russian Military Attacking US Organizations Using Kubernetes Clusters
Posted by: GuidePoint Security
Published: July 8, 2021, 11:54am
Last week the National Security Agency (NSA), CISA, the National Counterintelligence and Security Center (NCSC), and the FBI issued a joint statement warning that US and foreign organizations were under direct attack by the Russian Main Directorate of the General Staff of the Armed Forces of the Russian Federation (known as the GU or GRU). The warning indicates that the Russian 85th Main Special Service Center (GTsSS), military unit 26165 has been using Kubernetes clusters for several years to conduct brute force hacking attacks on hundreds of US and foreign businesses and organizations, including government entities.
The attacks involve cloud services, such as Microsoft 365, to compromise accounts using known vulnerabilities. Once the Russian threat actors gain access, they spread across the network, stealing credentials and files and deploying a reGeorg web shell for persistence. With credentials in hand, the threat actors then exfiltrate email inboxes and other data.
The GTsSS has previously been known by names such as Fancy Bear, APT28, and Strontium.
Next Steps
The NSA is strongly advising organizations to employ zero trust security models and use multi-factor authentication. In addition, they encourage organizations to:
- Enable time-out and lock-out features with password authentication
- Use methods such as ‘Captcha’ to prevent automated brute force hacking
- Avoid the use of common or easy-to-guess passwords
- Change all default credentials and disable protocols that use weak authentication.
- Use appropriate network segmentation and limit access.
- Use automated tools for log auditing and to identify access requests.
Check out our other blog posts from this past week.
GuidePoint Security