Security News > 2021 > July > Widespread Brute-Force Attacks Tied to Russia’s APT28

U.S. and U.K. authorities are warning that the APT28 advanced-threat actor - a.k.a. Fancy Bear or Strontium, among other names - has been using a Kubernetes cluster in a widespread campaign of brute-force password-spraying attacks against hundreds of government and private sector targets worldwide.

The attackers are after the passwords of people who work at sensitive jobs in hundreds of organizations worldwide, including government and military agencies in the U.S. and Europe, defense contractors, think tanks, law firms, media outlets, universities and more.

One expert - Tom Jermoluk, CEO and co-founder of Beyond Identity, raised a hairy eyeball at the notion that stronger passwords can do anything to protect against password spraying, particularly when it comes on top of a concerted effort to gather valid credentials.

"Russian GRU agents and other state actors like those involved in SolarWinds - and a range of financially motivated attackers - all use the same 'password spraying' brute force techniques," he told Threatpost in an email on Friday.

He added, "The credential-gathering that preceded the password spraying campaign most certainly collected short and strong passwords. And the Russian Kubernetes cluster used in the attack was capable of spraying 'strong passwords.'".

April 2021: The NSA linked APT29 to Russia's Foreign Intelligence Services, as the U.S. formally attributed the recent SolarWinds supply-chain attacks to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.

News URL

https://threatpost.com/kubernetes-brute-force-attacks-russia-apt28/167518/