Cyber Espionage Group Adopting Brute-Force Tactics With Kubernetes Clusters

Russian cyber espionage group, APT28, tied to an illegal container-based practice

July 28, 2021, 1:08 p.m.

TL;DR

In early July, the US and UK authorities uncovered a brute-force dark web campaign launched by hackers related to the Russian government. The intelligence authorities have flagged the campaign as illegal global scale activity to steal crucial data.

They also targeted entities hosting on-premises mail servers using various protocols.

Key Facts

1
Data from top US and UK agencies narrow time of launch to mid-2019.
2
They employ commercial and popular VPN applications to maintain normalcy and anonymity.
3
They are adopting simple but effective guessing tactics using Microsoft 365 and other cloud services as channels.
4
They had notable institutions, agencies and organisations on their list of targets.

Details

Down the years since Google launched Kubernetes in 2014, the cloud community, consisting of DevOps, SecOps, AIOps, large, medium, small-scale enterprises, have witnessed the adoption of Kubernetes in varying practices.

Hearing of a large-scale illegal hacking activity connected to a government that is one of the world powers using Kubernetes clusters would take many aback. It would be interesting to see how affected bodies and the world government handle the situation and dish out consequences to guilty parties. This is easily one of the top agendas at the next G7 summit.

The National Security Agency (NSA), Federal Bureau of Intelligence, the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.K.’s National Cyber Security Centre (NCSC) posted a joint alert, pegging the illegal cloud campaign on the APT28 with aliases Fancy Bear or Strotium, the group of hackers contracted to the Russian government according to CSA report.

The collective has proof that the group of threat actors began the sweeping activity applying brute-force passwords on container services and on-premise mail servers against myriads of government and private organisations globally.

The joint advisory noted that Russian hackers usually attempted to brute force passwords for organizations using Microsoft Office 365 cloud services and other cloud providers. They also targeted entities hosting on-premises mail servers using various protocols.

Organizations using Microsoft Office 365 and many primary cloud services stayed under the prime radar, exploiting even the lowest vulnerabilities.

The attackers are after the passwords of people who work at sensitive jobs in hundreds of organizations worldwide, including government and military agencies in the U.S. and Europe, defense contractors, think tanks, law firms, media outlets, universities, and more.

It is no surprise that their prime targets are people connected to the higher embers of economy and security - government organizations, defense, and intelligence agencies, military contractors with confidential data, vanities, media outfits, etc. Upon gaining access, these threat actors installed reGeorg web shells to remotely access compromised servers, covering their tracks with valid login credentials.

They took a rather conventional but controversial approach by using open source TOR and VPN services to maintain anonymity.

Negligence or strategy, the agencies reported that the threat actors were operating without compromising their IP addresses between November 2020 and now.

CEO of cybersecurity outfit, Gurucul, Saryu Nayyar, commented on the hot topic, saying:

A growing number of ransomware attacks against infrastructure and critical industries, especially those suspected of state sponsorship and involvement, are prompting calls for an international agreement limiting the use of such ‘cyber warfare’ tactics.

The NSA, however, did not reveal information on the success rates of previous campaigns.