Russian military targeted passwords in wide-ranging hacking campaign, US and UK officials say
By Brian Fung and Zachary Cohen, CNN
For months, Russian military hackers have engaged in a campaign to compromise the passwords of people employed in sensitive jobs at hundreds of organizations worldwide including US and European government and military agencies, US and British national security officials said Thursday.
The extensive effort also targeted political parties, government offices, defense contractors, energy companies, think tanks, law firms, media outlets and universities, the officials said.
The password-hacking campaign is part of a broader effort by Russia’s GRU to collect information from a wide range of sensitive targets, said a joint advisory by the National Security Agency, the FBI, the Department of Homeland Security and the UK’s GCHQ.
It is distinct from other Russian operations in cyberspace such as the SolarWinds campaign — which was instead carried out by Russia’s foreign intelligence service, the SVR, and relied on malicious code secretly embedded in trusted software rather than direct attacks on user passwords.
This campaign, which began in mid-2019 and aspects of which have been publicly reported but that the US government is attributing to Russia for the first time this week, involved attempts to break the passwords of people affiliated with major organizations worldwide. The advisory released Thursday does not specify how often these attacks were successful but it does say that the actors “have used” identified account credentials in conjunction with known vulnerabilities.
One high-profile example of the campaign was disclosed last September, when Microsoft said it had detected attacks on passwords belonging to tens of thousands of accounts at some 200 organizations, many of which were involved in US and UK elections. At the time, Microsoft warned that the attacks represented a potential election security threat ahead of the 2020 elections.
A former US official told CNN the wider campaign identified by Thursday’s advisory was not tied to elections.
By repeatedly trying password combinations until they achieved access, Russian agents sought to gain control of accounts at victim organizations, Thursday’s advisory said. The attackers also tried to hide the source of their attacks by launching them from behind virtual private networks and by routing them through traffic-anonymizing services such as Tor, the advisory said.
Once the attackers gained access to a victim network, they sought to use other publicly known software flaws to breach accounts with high-powered network permissions and to steal emails and other data, according to the advisory.
The Russian campaign likely continues to this day, said Rob Joyce, NSA’s director of cybersecurity.
“This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” he said.
To protect their networks, the advisory said, organizations should require strong passwords, use multi-factor authentication and block all incoming internet traffic from Tor and commercial VPN services.
The-CNN-Wire
™ & © 2021 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.