Hackers working on behalf of the Russian government are compromising large numbers of routers, switches, and other network devices belonging to governments, businesses, and critical-infrastructure providers, US and UK officials warned Monday.
The Russian government-sponsored actors are using the compromised devices to perform man-in-the-middle attacks that extract passwords, intellectual property, and other sensitive information and to lay the groundwork for potential intrusions in the future, the officials continued. The warning was included in a technical alert jointly issued by the US Department of Homeland Security and FBI and the UK's National Cyber Security Center.
"Since 2015, the US government received information from multiple sources—including private- and public-sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide," Monday's technical alert stated. "The US government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation's national security and economic goals."
The alert went on to warn that many network devices are poorly secured against remote intrusions. Old products that use protocols lacking encryption, run firmware that's no longer eligible to receive security patches, or are insufficiently hardened to withstand attacks allow hackers to remotely commandeer devices with no need to exploit zero-day vulnerabilities or even install malware. In contrast to servers and desktop computers inside targeted organizations, the network devices often receive little ongoing maintenance, making them relatively easy to hack.
The alert continued:
Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization's gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization's internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. Organizations that use legacy, unencrypted protocols to manage hosts and services make successful credential harvesting easy for these actors. An actor controlling a router between Industrial Control Systems-Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure—such as the Energy Sector—can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.
The alert identified multiple stages in the hacker campaign. They included:
- reconnaissance, in which the hackers identify Internet-exposed network ports used for telnet, simple network management protocol, Cisco Smart Install, and similar services
- weaponization and delivery of traffic to vulnerable devices that cause them to send configuration files that contain cryptographically hashed passwords and other sensitive data
- exploitation, in which attackers use previously obtained credentials to access the devices
- installation, using the Cisco Smart Install technology
- command and control, where the attackers masquerade as legitimate users or establish a connection through a previously installed backdoor
Last week, Cisco issued its own advisory warning that its Smart Install client was being abused to compromise devices used by a variety of customers, including those who manage critical infrastructure.
Monday's technical alert is only the latest to detail a Russia-sponsored hacking campaign dubbed Grizzly Steppe. Previous alerts are here, here, here, and here.
reader comments
158