Russia is hacking routers in global cyber attacks, US and UK warn

The U.S. and U.K. teamed up on Monday to issue an unprecedented joint warning about state-sponsored Russian hackers targeting critical network infrastructure devices. Working on behalf of the Russian government, the hackers are exploiting vulnerabilities and pwning routers worldwide.

A joint statement by the U.S. Department of Homeland Security, the FBI, and Britain’s National Cyber Security Center warned of Russian state-sponsored cyber actors exploiting routers, switches, firewalls, and network intrusion detection systems belonging to government and private-sector organizations, as well critical infrastructure providers, ISPs, and even small home offices.

Basically, anyone connected online is a potential target if they have not kept software for network equipment up to date and changed default passwords. Millions of devices are being targeted and pwned.

“Multiple sources including private and public-sector cybersecurity research organizations and allies have reported this activity to the US and UK governments,” the organizations say.

The FBI “has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.”

The government agencies reminded the public that if the Russians can own the router, then they also can own the traffic.

“Once you own the router, you own all the traffic, to include the chance to harvest credentials and passwords,” said Howard Marshall, deputy assistant director of the FBI cyber division, in a New York Times article. “It is a tremendous weapon in the hands of an adversary.”

Vulnerable devices

Earlier this month, Cisco warned about a flaw in Cisco Smart Install Client. During an attack on data centers and internet providers, Kaspersky Lab said hackers were exploiting the flaw in Cisco switches and running arbitrary code.

Shortly thereafter, the hacker group “JHT” exploited the Cisco Smart Install client vulnerability on machines in Iran and Russia. The hackers left the message, “Don’t mess with our elections” followed by a U.S. flag. The group claimed it “simply wanted to send a message” as they were “tired of attacks from government-backed hackers on the United States and other countries.”

In the jointly issued technical advisory, the U.S. and U.K. warned that Russian state-sponsored hackers have been busy with reconnaissance to discover vulnerable devices, weaponization, and exploitation. The Russians have been using the Smart Install Exploitation Tool (SIET), which has been online since November 2016 and moved on to command and control.

The Russian government’s hackers don’t need to exploit zero-day vulnerabilities or install malware to exploit network devices, the advisory warned, as they can exploit vulnerabilities that are due to using legacy protocols or having poor security practices.

The Russian hackers could abuse those weaknesses to identify vulnerable devices, extract device configurations, map internal network architectures, harvest login credentials, masquerade as privileged users, modify device firmware as well as operating systems and configurations, and copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure. The Russian hackers could also modify or deny router traffic.

The advisory included a long list of potential mitigation strategies.

During a press conference call, White House cybersecurity coordinator Rob Joyce said, “All elements of U.S. power” are going “to push back against these kinds of intrusions.” That includes “our capabilities in the physical world.”

Britain’s NCSC chief executive Ciaran Martin added, “This is the first time that in attributing a cyber attack to Russia the U.S. and the U.K. have, at the same time, issued joint advice to industry about how to manage the risks from attacks.”

Russia, of course, denies the accusations.