British and American intelligence agencies are warning of a potential cyber threat out of Russia.
On Monday, a joint UK/US taskforce issued an announcement that hackers backed by the Kremlin have been attempting to hijack routers worldwide and may have had some degree of success. Targets include internet service providers as well as government, small business, and home offices.
According to the alert issued by the United States Computer Emergency Readiness Team (CERT), the hackers appear to be attempting a take over of network infrastructure. A joint team of security experts from the DHS and FBI, and the UK’s National Cyber Security Centre (NCSC) have found compromised Generic Routing Encapsulation (GRA), Cisco Smart Install (SMI), and Simple Network Management Protocol enabled devices in several countries.
Forbes reports that Rob Joyce, special assistant to the president and cybersecurity coordinator at the National Security Council briefed the media ahead of the announcement stating with “high confidence” that Russia was behind the attacks. The UK’s NCSC Director Ciaran Martin added that the hacks had been tracked as far back as a year.
"We can't rule out Russia may attempt to use this [hacked] infrastructure for further attacks."
The hackers have been attempting to breach routers, switches, firewalls and network intrusion detection systems as a means to execute man-in-the-middle attacks says the CERT report.
“This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.”
The attack vectors the hackers use are comprised of “legacy or weak protocols” on ports that are associated with network administration. According to the researchers, the attackers take advantage of the following vulnerabilities:
- devices with legacy unencrypted protocols or unauthenticated services,
- devices insufficiently hardened before installation, and
- devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).
The report did not name victims or the number of successful attacks. However, they did list preventative measures and signs to look for that would indicate that the network has been compromised by one of these attacks.
You can read the full report at CERT’s website.