Brief # 53 – Technology Policy
U.S., U.K. Warn of Ongoing Russian Hacking Efforts
By Henry Lenard
July 6, 2021
U.S. and British government agencies released details on July 1 of an ongoing cybersecurity threat linked to Russia’s military intelligence agency GRU against hundreds of government agencies, energy companies and other organizations worldwide.
The two governments said in a joint advisory on Thursday that Russian spies accused of interfering in the 2016 U.S. presidential election with the hack of the Democratic National Committee had spent much of the past two years abusing virtual private networks to target hundreds of internet sites globally. Those efforts include a similar attempt to disrupt the 2020 presidential election.
The advisory, issued through the U.S. National Security Agency, described the approach used by operatives with ties to the GRU. The Russian attacks involve an amplified and anonymized version of what are known as “brute force” access attempts: The automated spraying of sites with potential passwords until hackers gain access.
The NSA says GRU-linked actors have tried to break into networks using Kubernetes, an open-source tool originally developed by Google to manage cloud services. While a “significant amount” of the attempted break-ins targeted organizations using Microsoft’s Office 365 cloud services, the hackers went after other cloud providers and email servers as well.
The NSA advisory urges companies to adopt and expand cyber protection and mitigation techniques, including the use of multi-factor authentication and mandating strong passwords.
The campaign began in mid-2019 and is “almost certainly” ongoing, the advisory warned. The FBI and the Cybersecurity and Infrastructure Security Agency joined the advisory, as did the British National Cyber Security Centre.
The attempt by Russian hackers to penetrate sensitive American and international targets is ongoing and pervasive. The latest advisory from the NSA also shows the involvement of the Russian military intelligence agency in such endeavors.
The password-hacking scheme, most notorious for its interference in the 2016 U.S. presidential election, has targeted a range of organizations around the globe. The attacks include virtually every sector of interest on the internet, including government and military agencies, defense contractors, political parties and consultancies, logistics companies, energy firms, universities, law firms and media companies. The NSA advisory does not disclose specific targets of the campaign or its presumed purpose.
Through a Facebook post, the Russian Embassy in Washington vehemently denied Russian government involvement in the cyberattacks. “We hope that the American side will abandon the practice of unfounded accusations and focus on professional work with Russian experts to strengthen international information security.”
The U.S. has long accused the Russian government of supporting cyberattacks for espionage, spreading disinformation campaigns, and the disruption of government and key infrastructure.
The GRU has been repeatedly linked by U.S. officials in recent years to a series of hacking incidents. In 2018, special counsel Robert Mueller’s office charged 12 military intelligence officers with hacking Democratic National Committee emails that were then released by WikiLeaks to harm Hillary Clinton’s presidential campaign in support of Donald Trump.
An American intelligence assessment earlier this year said the GRU tried to monitor people in U.S. politics in 2019 and 2020 and staged a phishing campaign against subsidiaries of the Ukrainian energy company Burisma, likely to gather information damaging to President Joe Biden, whose son had earlier served on the Burisma board.
An NSA spokesperson said this GRU-led campaign was separate from the SolarWinds supply chain attack, which was attributed to a separate Russian intelligence service known as the SVR. It also differs from the ransomware attacks on Colonial Pipeline and meat supplier JBS, which were targeted by two distinct criminal ransomware groups known to have links to Russia.
The Biden administration in April sanctioned Russia after linking it to election interference and the SolarWinds breach.
In the latter case, Russian military hackers sabotaged a tiny piece of computer code buried in a popular piece of software called SolarWinds. That allowed the hidden virus to spread to 18,000 government and private computer networks when SolarWinds sent out a routine software update.
That gave Russian agents complete access to the digital files of such U.S. departments as Justice, State, Treasury, Energy and Commerce for nine months. During this time, they were able to view top-level government emails, court documents and even nuclear secrets.
Similarly, hacking into businesses gives access to proprietary intellectual property, corporate strategies and competitive information.
All this comes against the backdrop of President Biden and Russian President Vladimir Putin agreeing at their June summit that the two countries will start consultations on cybersecurity.
Putin claimed that “most of the cyberattacks in the world are carried out from the cyber realm of the United States,” with Canada and Britain coming second and third.
While the U.S., Canada and Britain all engage in cyberespionage, the most damaging cyberattacks on record have been attributed by the U.S. and the European Union to GRU, including two on Ukraine’s power grid and the 2017 NotPetya virus that caused more than $10 billion in damage globally.
NSA cybersecurity statement on Russian threat:
Full NSA advisory:
Cybersecurity & Infrastructure Security Agency tips:
UC-Berkeley Information Security Office “Top 10” secure computing tips: