Identity trust is under attack: are your authentication controls ready?

TL;DR: A joint advisory from 10+ nations says Russian GRU unit 26165 is using password spraying, phishing, malware, and legacy authentication abuse to break identity trust and reach logistics and tech targets supporting Ukraine, according to Axiad. The lesson is broader than one campaign: identity infrastructure that still depends on NTLM, weak mailbox permissions, and password-based trust is already out of step with modern threat pressure.

NHIMG editorial — based on content published by Axiad: Authentication State-Sponsored Cyber Threats - Is Your Identity Infrastructure Ready?

By the numbers:

• A newly released joint cybersecurity advisory from agencies across 10+ nations describes a persistent cyber espionage campaign.

Questions worth separating out

Q: How should security teams reduce identity compromise from password spraying and phishing?

A: Start by removing easy authentication targets.

Q: Why do legacy protocols like NTLM still increase breach risk?

A: Legacy protocols preserve compatibility but also preserve weaker trust assumptions.

Q: How can organisations decide when certificate-based authentication is worth the effort?

A: Prioritise it where credential theft would have the highest impact, such as admin access, remote access, and hybrid on-prem systems.

Practitioner guidance

• Retire legacy authentication paths Inventory NTLM usage, identify remaining dependencies, and set a migration plan that removes downgrade paths from high-value systems first.
• Strengthen phishing-resistant authentication Prioritise certificate-based authentication or other phishing-resistant methods for privileged, remote, and high-risk access paths.
• Audit mailbox delegation and recovery paths Review mailbox permissions, delegated access, and account recovery workflows for excessive privilege.

What's in the full article

Axiad's full blog post covers the operational detail this post intentionally leaves for the source:

• A deeper explanation of how certificate-based authentication changes identity assurance in hybrid environments
• The article’s discussion of legacy protocol retirement, including why NTLM remains a live risk in mixed estates
• Operational context around certificate lifecycle management, issuance, and renewal across on-prem systems
• The source article’s PKI framing for RDP, Exchange, and Microsoft AD access paths

👉 Read Axiad's analysis of state-sponsored identity abuse and PKI defenses →

Identity trust is under attack: are your authentication controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →