Cyber Espionage Group Adopting Brute-Force Tactics With Kubernetes Clusters

Russian cyber espionage group, APT28, tied to an illegal container-based practice


In early July, the US and UK authorities uncovered a brute-force dark web campaign launched by hackers related to the Russian government. The intelligence authorities have flagged the campaign as illegal global scale activity to steal crucial data.

They also targeted entities hosting on-premises mail servers using various protocols.
They also targeted entities hosting on-premises mail servers using various protocols.
Key Facts
  1. 1

    Data from top US and UK agencies narrow time of launch to mid-2019.

  2. 2

    They employ commercial and popular VPN applications to maintain normalcy and anonymity.

  3. 3

    They are adopting simple but effective guessing tactics using Microsoft 365 and other cloud services as channels.

  4. 4

    They had notable institutions, agencies and organisations on their list of targets.


Down the years since Google launched Kubernetes in 2014, the cloud community, consisting of DevOps, SecOps, AIOps, large, medium, small-scale enterprises, have witnessed the adoption of Kubernetes in varying practices.

Hearing of a large-scale illegal hacking activity connected to a government that is one of the world powers using Kubernetes clusters would take many aback. It would be interesting to see how affected bodies and the world government handle the situation and dish out consequences to guilty parties. This is easily one of the top agendas at the next G7 summit.

The National Security Agency (NSA), Federal Bureau of Intelligence, the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.K.’s National Cyber Security Centre (NCSC) posted a joint alert, pegging the illegal cloud campaign on the APT28 with aliases Fancy Bear or Strotium, the group of hackers contracted to the Russian government according to CSA report.

The collective has proof that the group of threat actors began the sweeping activity applying brute-force passwords on container services and on-premise mail servers against myriads of government and private organisations globally.

The joint advisory noted that Russian hackers usually attempted to brute force passwords for organizations using Microsoft Office 365 cloud services and other cloud providers. They also targeted entities hosting on-premises mail servers using various protocols.

Organizations using Microsoft Office 365 and many primary cloud services stayed under the prime radar, exploiting even the lowest vulnerabilities.

The attackers are after the passwords of people who work at sensitive jobs in hundreds of organizations worldwide, including government and military agencies in the U.S. and Europe, defense contractors, think tanks, law firms, media outlets, universities, and more.

It is no surprise that their prime targets are people connected to the higher embers of economy and security - government organizations, defense, and intelligence agencies, military contractors with confidential data, vanities, media outfits, etc. Upon gaining access, these threat actors installed reGeorg web shells to remotely access compromised servers, covering their tracks with valid login credentials.

They took a rather conventional but controversial approach by using open source TOR and VPN services to maintain anonymity.

Negligence or strategy, the agencies reported that the threat actors were operating without compromising their IP addresses between November 2020 and now.

CEO of cybersecurity outfit, Gurucul, Saryu Nayyar, commented on the hot topic, saying:

A growing number of ransomware attacks against infrastructure and critical industries, especially those suspected of state sponsorship and involvement, are prompting calls for an international agreement limiting the use of such ‘cyber warfare’ tactics.

The NSA, however, did not reveal information on the success rates of previous campaigns.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …

Why Your Business Should Connect Directly To Your Cloud

Today, companies make the most use of cloud technology regardless of their size and sector. …

7 Must-Watch DevSecOps Videos

Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …