The extensive effort also targeted political parties, government offices, defense contractors, energy companies, think tanks, law firms, media outlets and universities, the officials said.
The password-hacking campaign, which official believe is almost certainly still ongoing, is part of a broader effort by Russia’s GRU to collect information from a wide range of sensitive targets, said a joint advisory by the National Security Agency, the FBI, the Department of Homeland Security and the UK’s GCHQ.
This campaign, which involved attempts to break the passwords of people affiliated with major organizations worldwide, began in mid-2019 and while aspects of it have been publicly reported, the US government is attributing it to Russia’s military intelligence agency, the GRU, for the first time this week.
The advisory released Thursday does not specify how often these attacks were successful, but it does say that the actors “have used” identified account credentials in conjunction with known vulnerabilities.
“The bread and butter of this group is routine collection against policy makers, diplomats, the military, and the defense industry and these sorts of incidents don’t necessarily presage operations like hack and leak campaigns,” according to John Hultquist, VP of Analysis, Mandiant Threat Intelligence. “Despite our best efforts we are very unlikely to ever stop Moscow from spying.”
A former US official told Asia Despatch the wider campaign identified by Thursday’s advisory was not tied to elections.
By repeatedly trying password combinations until they achieved access, Russian agents sought to gain control of accounts at victim organizations, Thursday’s advisory said. The attackers also tried to hide the source of their attacks by launching them from behind virtual private networks and by routing them through traffic-anonymizing services such as Tor, the advisory said.
Once the attackers gained access to a victim network, they sought to use other publicly known software flaws to breach accounts with high-powered network permissions and to steal emails and other data, according to the advisory.
The Russian campaign likely continues to this day, said Rob Joyce, NSA’s director of cybersecurity.
“This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” he said.
To protect their networks, the advisory said, organizations should require strong passwords, use multi-factor authentication and block all incoming internet traffic from Tor and commercial VPN services.