Government departments and private businesses are being targeted in internet attacks orchestrated by the Russian government, exploiting commercially available network infrastructure.
That’s the claim contained in a warning issued by the United States, United Kingdom, and Australia, saying that since 2015 large numbers of enterprise-class and consumer routers, switches, firewalls, and Network-based Intrusion Detection Systems have been compromised to further the national security and economic goals of Russia.
A joint technical alert issued by the US Department of Homeland Security (DHS) and the UK’s National Cyber Security Centre (NCSC), and backed by the Australian government, warns that network devices are particularly attractive targets for attack because of the data that passes through them, opening opportunities to monitor and interfere with data travelling to and from an organisation.
And the consequences can be serious. Not only might there be opportunities to exploit legacy systems that use unencrypted protocols to scoop up passwords, but also a malicious hacker could conduct a man-in-the-middle attack to spy more generally, extracting intellectual property, and maintain persistent access to a victim’s network.
Perhaps most worryingly, manipulated messages sent via a hijacked router in an industrial control system (as might be seen at a manufacturing or energy plant, for instance) could result in the loss of service or physical damage.
White House cybersecurity chief Rob Joyce described such threats as “a tremendous weapon in the hands of an adversary.”
And that’s why the US, British, and Australian governments are urging those tasked with defending networks to take action now, and mitigate against further exploitation of systems.
According to the warnings, Russian-backed hackers have targeted routers running out-of-date firmware, with misconfigured settings, or relying upon weak credentials for their security. In many cases the attacks have taken advantage of vulnerabilities in the Telnet, TFTP, SNMP, and SMI (Smart Install) protocols.
Specifically, the alert warns that malicious hackers are using SIET (Smart Installation Exploitation Tool) that was published on the internet in 2016 and allows for simple exploitation of Cisco routers with misconfigured SMI clients.
Cisco warned earlier this year of a “significant increase” in probes attempting to discover devices which had left SMI enabled without proper security controls, and has published further best practice guidance in light of this week’s government warnings.
Of course, we would be naïve to think that Russia is the only party interested in hijacking weakly-defended networking infrastructure. Criminal gangs, intelligence agenices, and other nation states (including, almost certainly, those who have raised the alarm about Russia) are just as aware of what they can achieve by “owning the router.”
But whoever is behind the attacks shouldn’t really matter that much to most of us in business. Warnings like that issued this week act as a timely reminder to both businesses and network infrastructure manufacturers to tighten their security, and harden systems against exploitation.
You don’t know where your attack might come from. But you can take steps to defend your organisation against the most pernicious threats.
Be sure to read the technical alert, which contains indicators of compromise (IOCs), and more technical details on the techniques being used by attackers on compromised networks.