Security News > 2021 > July > NSA: Russian GRU hackers use Kubernetes to run brute force attacks

The National Security Agency warns that Russian nation-state hackers are conducting brute force attacks to access US networks and steal email and files.

In a new advisory released today, the NSA states that the Russian GRU's 85th Main Special Service Center, military unit 26165, has been using a Kubernetes cluster since 2019 to perform password spray attacks on US and foreign organizations, including the US government and Department of Defense agencies.

The brute force attacks target cloud services, such as Microsoft 365, to compromise accounts that are then used in conjunction with known vulnerabilities to gain initial access to corporate and government networks.

The NSA says that once they gain access, they will spread laterally through the network while deploying a reGeorg web shell for persistence, harvesting other credentials, and stealing files.

"The NSA does not publicly share details on victims of foreign malicious cyber activity." - NSA. A complete list of TTPs, including a Yara rule to detect the reGeorg variant web shell, can be found in the NSA's cybersecurity advisory,.

"This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale," said Rob Joyce, NSA's Director of Cybersecurity, in a statement.

News URL

https://www.bleepingcomputer.com/news/security/nsa-russian-gru-hackers-use-kubernetes-to-run-brute-force-attacks/