The U.S. and UK security agencies have repeatedly blamed Russia for attacks on key parts of its infrastructure. This Thursday (1), the FBI and NSI launched a series of large-scale brutal attacks on Russian cyber military units using cloud systems used by businesses and government agencies around the world.
The reported attacks have been linked to a group of cybercriminals identified as APT28 or Fancy Bear. The report is signed by the US Cyber Security and Infrastructure Security Agency (CISA) and the UK Cyber Security Center (NCSC); And says the attacks have been ongoing since mid-2019 and continue until now.
Intelligence agencies claim to have created Division 26165 of the 85th Specialized Service Center (GDSS) of the Russian Directorate General of Public Service Intelligence (GRU) Masonry From Kubernetes To make access attempts based on the use of rogue power. One of its main targets is the cloud services provided by Microsoft Office 365, including email.
One Masonry De Cubernetis is a set of nodes that run applications in containers with lighter, more flexible work packages than virtual machines, allowing easy, remote development and management from anywhere without the specific use of an operating system in multiple digital environments.
According to the report, Fancy Bear uses compromised machines to gain internal access to email servers. From there, they make lateral moves to take complete control of the networks and create them using stolen valid evidence. Doors It ensures permanent access to them.
The group tried to cover up their attacks
The group’s attacks were under the radar disguised by the TOR network and by VPN services such as Cactusvipn, iBivanish, Nordivipn, Protonvipn, Surpshark and Worldvipn. Cybercriminals also use protocols such as HTTP (S), IMAP (S), POP3, and NTLM to diversify their attack methods and help avoid potential investigations. Brutal attacks also had gaps, making it difficult to find a pattern.
Rob Joyce, NSA’s director of cyber security, warns that “this long-running, ruthless campaign to collect and dispose of data, login credentials, and more is ongoing worldwide. “Network lawyers should use multifactor recognition and additional mitigation to combat this practice,” he said.
In the public document, Agencies have released some of the IP addresses used by Fancy Bear in its attacks so that companies can protect themselves. Key targets include government and military agencies, security solutions companies, energy companies, law firms, media groups and higher education institutions.
Did you like this article?
Subscribe to your email at Canaltech to receive daily updates with the latest news from the tech world.