Russian state-sponsored hackers are targeting network infrastructure devices worldwide, the US Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) have warned on Monday.
A joint technical alert published by the organizations says that the targets are “primarily government and private-sector organisations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors.”
The attackers are compromising routers, switches, firewalls, Network-based Intrusion Detection System (NIDS) devices in general, and Generic Routing Encapsulation (GRE), Cisco Smart Install (SMI), and Simple Network Management Protocol (SNMP) enabled network devices in particular.
The goal of the attacks
“Since 2015, the US and UK Governments have received information from multiple sources — including private and public sector cybersecurity research organisations and allies — that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide,” the alert says.
The US and UK authorities believe that these operations enable espionage and intellectual property theft “that supports the Russian Federation’s national security and economic goals,” and could be also aimed at laying a foundation for future attacks.
In fact, the UK press reports statements of sources that say a cyber attack on Britain’s infrastructure is imminent, as a response for the countries’ bombing of Syria. And, apparently, the attacks are expected to be accompanied by the release of compromising information about UK politicians, as well as an increased “fake news” activity.
An official comment from the Russian government is yet to be released.
Time will tell if any of these worrisome possibilities will become reality. In the meantime, securing the targeted devices – in those countries and others – is always a good idea.
Network devices are ideal targets. Most or all organisational and customer traffic must traverse these critical devices, the alert points out.
“A malicious actor with presence on an organisation’s gateway router has the ability to monitor, modify, and deny traffic to and from the organisation. A malicious actor with presence on an organisation’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts,” it notes.
“Organisations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors. An actor controlling a router between Industrial Control Systems – Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure – such as the Energy Sector – can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.”
The DHS, FBI and NCSC have shared details about the tactics, techniques, and procedures used by Russian state-sponsored cyber actors to compromise victims, and have offered advice on how to detect exploitation attempts (successful or not) and how users, manufacturers, security vendors and ISPs can minimize or completely mitigate the possibility of compromise.