A joint statement from the US National Security Agency, Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and the United Kingdom’s Cyber Security Centre let us know that a massive brute force attack has been launched by Advanced Persistent Threat Group 28, also known as “Fancy Bear” or “Strontium”, from Russia. Fancy Bear is believed to be associated with the GRU (the General Staff Main Intelligence Directorate, which is associated with the Russian military analogous to the US Defense Intelligence Agency or perhaps the CIA), although definitive proof has never been provided.
These brute force attacks are aimed at compromising the credentials of individuals known or believed to work in sensitive positions, such as defense contractors, think tanks, politicians (and their aides), infrastructure, educational institutions, and other targets likely to have access to confidential or restricted information.
The attack appears to be targeting the actual network, or an adjacent one. Targeting adjacent networks allows Fancy Bear to launch attacks against less defended targets, and then use their access to pry open more secure networks. For example, a personal device is less likely to use a secure password or multi-factor authentication, and people are likely to use the same or similar passwords across their devices. By cracking a home computer or unsecured phone, an attacker gains a foothold and the information necessary to covertly assault more secured devices.