Critical infrastructure, governments and Internet service providers (ISPs) are all areas Russian state-sponsored hackers are targeting on a global basis, according to a joint technical alert released this week.
The focus of the attacks are “government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors,” according to the alert released by the U.S. Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC).
Attackers method of attack includes compromising routers, switches, firewalls, Network-based Intrusion Detection System (NIDS) devices, Generic Routing Encapsulation (GRE), Cisco Smart Install (SMI), and Simple Network Management Protocol (SNMP) enabled network devices.
“Since 2015, the U.S. and UK Governments have received information from multiple sources — including private and public sector cybersecurity research organizations and allies — that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide,” the alert said.
“The current state of US and UK network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States and the United Kingdom,” the alert said.
“The rise in frequency and scope of cyberattacks on governments and critical infrastructure points to a modern form of stealth warfare that can disrupt the availability of basic goods and services across the world,” said Eddie Habibi, founder and chief executive of PAS Global. “This is a global phenomenon, and countries must come together to recognize the seriousness of bad actors’ cyber capabilities.
“During this time of severe political tension, it’s imperative that countries such as the U.S. and UK present a united front to establish global treaties on rules of cybersecurity engagement, as well as create alliances to foster information sharing. This, combined with greater collaboration between governments and their local infrastructure companies, is the best way to ensure proactive movement towards greater critical infrastructure security.”
U.S. and UK authorities feel these operations enable espionage and intellectual property theft “that supports the Russian Federation’s national security and economic goals,” and could be also aimed at laying a foundation for future attacks.
Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices, the alert points out.
“A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts,” the alert said.
Russian cyber actors do not need to leverage Zero Day vulnerabilities, or install malware, to exploit these devices, the alert said. Instead, cyber actors take advantage of the following vulnerabilities:
• Devices with legacy unencrypted protocols or unauthenticated services
• Devices insufficiently hardened before installation
• Devices no longer supported with security patches by manufacturers or vendors (end-of-life devices)
Network devices are often easy targets. Once installed, network devices are not maintained at the same security level as other general-purpose desktops and servers.
The following factors can also contribute to the vulnerability of network devices:
• Few network devices – especially SOHO and residential-class routers – run antivirus, integrity-maintenance, and other security tools that help protect general purpose hosts
• Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance
• Owners and operators of network devices do not change vendor default settings, harden them for operations, or perform regular patching
• ISPs do not replace equipment on a customer’s property when that equipment is no longer supported by the manufacturer or vendor
• Owners and operators often overlook network devices when they investigate, examine for intruders, and restore general-purpose hosts after cyber intrusions