State-sponsored identity attacks: is your authentication ready?

TL;DR: Russian GRU unit 26165 is using password sprays, phishing, malware, weak authentication, mailbox permission abuse, and legacy protocols like NTLM to break identity trust and enter target environments, according to Axiad. Certificate-based authentication and PKI reduce exposure, but enterprises still need better lifecycle control and protocol retirement.

NHIMG editorial — based on content published by Axiad: Authentication State-Sponsored Cyber Threats, Is Your Identity Infrastructure Ready?

By the numbers:

• Russian GRU hackers are executing a persistent cyber espionage campaign across 10+ nations.

Questions worth separating out

Q: How should security teams reduce risk from password spraying and phishing against identity systems?

A: Teams should reduce the number of sign-in paths that depend on guessable or replayable credentials, then favour phishing-resistant authentication for high-value users and systems.

Q: Why do legacy protocols like NTLM still increase identity risk?

A: Legacy protocols preserve older trust assumptions that modern attackers can exploit more easily than cryptographic authentication.

Q: How do mailbox permissions turn a valid login into broader compromise?

A: Mailbox delegation and inherited permissions can expose communications, attachments, and administrative reach beyond what the user should normally see.

Practitioner guidance

• Retire weak authentication paths Prioritise password spraying resistance, phishing-resistant sign-in, and removal of legacy login paths that still accept guessable or replayable credentials.
• Review mailbox delegation and access inheritance Audit delegated mailbox permissions, shared inbox access, and inherited administrative rights that let a single compromised identity reach communications at scale.
• Deprecate NTLM in phased increments Map every application and remote-access dependency that still uses NTLM, then replace or isolate those paths before attackers can target them as the weakest trust layer.

What's in the full article

Axiad's full blog covers the operational detail this post intentionally leaves for the source:

• The full breakdown of the joint advisory themes across identity misuse, phishing, and legacy protocol abuse.
• Axiad's PKI-oriented explanation of why certificate-based authentication is better suited to phish-resistant identity assurance.
• Operational context for certificate lifecycle management across hybrid on-prem and remote-access environments.
• The article's own framing of how identity controls intersect with Zero Trust and on-prem authentication dependencies.

👉 Read Axiad's analysis of state-sponsored identity attacks and PKI defense →

State-sponsored identity attacks: is your authentication ready?

Explore further

View Full Forum →  |  NHI Foundation Course →