Recently, the U.S. and British intelligence communities issued an advisory uncovering the “Brute Force” cyber techniques used by the Russian GRU intelligence agency against hundreds of Western government and private targets. These revelations come in the wake of months of successive cyberattacks against American and European targets, including the SolarWinds, which saw Russian and Chinese hackers gain access to U.S. government systems, and Colonial Pipeline, which interfered with the flow of fuel on America’s East Coast this past May.
According to the Intelligence Community, the GRU cyberattacks started from the middle of 2019 and are likely still ongoing, with the GRU’s 85th Main Special Service Center (GTsSS) unit 26165 identified as the main perpetrator behind the attacks. The goal of this cyber warfare campaign is to access protected and classified databases in order to purloin information, but also to pave the way for future breaches.
The advisory is a joint product of the U.S. National Security Agency (NSA), the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the British Government Communications Headquarters (GCHQ), the U.K.’s signals intelligence agency.
KGB Reloaded: Russian Intelligence
The Russian intelligence apparatus is composed of four main agencies.
The SVR (Sluzhba vneshney razvedki Rossiyskoy Federatsii) is the external intelligence agency that focuses on foreign intelligence collection and is often compared to America’s CIA. While not entirely accurate, the comparison is somewhat apt.
The FSB (Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii) is the internal security and counterintelligence service that focuses on domestic intelligence, and is roughly the equivalent of America’s FBI.
The GRU (Glavnoje Razvedyvatel’noje Upravlenije) is the military foreign intelligence service that commands the Spetsnaz special operations units and a very rough equivalent of the U.S. Defense Intelligence Agency (DIA) and the Joint Special Operations Command (JSOC).
Finally, the FSO (Federalnaya sluzhba okhrany) protects the Russian president but also contains the signals intelligence (SIGINT) agency, a rough equivalent of the NSA—the FSO overall is less of an intelligence service and more of a federal law enforcement agency, like the U.S. Secret Service, that also has some intelligence functions, such as the SIGINT capability.
Historically, Russian intelligence services have focused more on covert action programs (or active measures, per the Russian nomenclature) to subvert domestic and external opponents rather than pure intelligence collection. Active measure operations can include election interference, disinformation, influence operations, and cyberwarfare.
When it comes to near-peer threats, such as Russia and China, it’s hard, if not impossible, to separate the public from the private sector. Unlike in the U.S. where companies and individuals aren’t obligated to cooperate with the Intelligence Community, Russia and China demand that their citizens and companies assist their militaries and intelligence agencies. In China, there is even a national intelligence law that obligates all Chinese corporations and citizens to support and cooperate with national intelligence services. This whole-of-nation approach gives America’s competitors an advantage.
“I think there is a distinction in the case of Russia but it’s fairly blurred,” an expert from the Signature Management Unit (SMU) with joint special operations and intelligence experience told Sandboxx News.
“The Russian Internet Research Agency (IRA), also known as ‘the troll farm,’ is a pretty great example of how the Russian intelligence organs are deliberately outsourcing (via the oligarchical network) some of their cyber dirty work to the IRA in order to offer the GRU a semblance of plausible deniability, however weak it may seem.”
A risk, security, intelligence, and cyber consulting firm led by former special-operations and intelligence professionals, the SMU helps individuals and companies understand their digital and cyber vulnerabilities and improve their defenses.
Cybersecurity knowledge has trickled down from the Intelligence Community and the military into the private intelligence and cybersecurity world, making preemptive action more accessible to individuals, families, and businesses today than ever before.
Brute Force Cyberattacks
Brute Force attacks need more brawn than brain. They take their name from their elementary nature—they don’t require any sophisticated cyber skills. During Brute Force attacks, an aggressor essentially runs down an entry list of known or breached passwords, trying every single one at several iterations per second, until the target service is overwhelmed, thereby gaining access to the database.
Brute Force techniques are by no means new, but the GRU used software in a unique way to industrialize its Brute Force attempts and access more targets.
According to the NSA report, the GRU used Brute Force techniques to access protected and classified data, including email addresses, and find valid account credentials. Then, the Russian intelligence officers used identified account credentials together with publicly known vulnerabilities, such as exploiting issues with the Microsoft Exchange servers
“The GRU has become more brazen over the years, as we recall the failed OPCW close-access hack attempt, where Russian GRU operatives were busted sitting in their car attempting to access a Wi-Fi network. So we’re seeing both approaches akin to the Chinese whole-of-government approach but with less nuance/more in accord with the Russian modus operandi,” the SMU expert said.
The GRU is probably the more aggressive branch of the Russian intelligence apparatus. In the last few years, GRU operatives have conducted several outrageously audacious operations against Western and non-Western targets, including assassinations, attempted assassinations, sabotage, election interference, and cyberattacks.
For example, in 2018, the British and Dutch intelligence services prevented a Russian cyberattack, again from GRU’s Unit 26165, against the Organisation for the Prevention of Chemical Weapons (OPCW), which is headquartered in The Hague, Netherlands. In the same year, two GRU officers attempted to assassinate Sergei Skripal, an SVR defector living in the U.K., and his daughter with a nerve agent. Again in 2018, the U.S. Department of Justice indicted a dozen GRU officers for their part in interfering with America’s 2016 presidential election.
“Unfortunately, smaller companies and individuals can no longer say, ‘I’m not an important enough target to warrant privacy or digital security,’” the SMU expert added.
If a company fails to protect their executives outside the office, as we often see, they are vulnerable to an adversary gaining a foothold in that executive’s digital life, which acts as a vector to other targets, such as when the executive steps back into the office. This is a vicious cycle that adversaries are keen to exploit.”
This article first appeared at Sandboxx News.