Russia Hacking Routers, Firewalls in State Op, Says U.S. Cyber Team After Infrastructure Warning

An employee of Global Cyber Security Company Group-IB develops a computer code in an office in Moscow on Oct. 25, 2017. (AP Photo/Pavel Golovkin)

WASHINGTON — The U.S. Computer Emergency Readiness Team warned this week that Russian cyber teams have been infiltrating home and business routers, coming on the heels of last month’s alert that Russia has been targeting a wide range of infrastructure sectors including power, water and nuclear.

US-CERT said the alert, which applied to Generic Routing Encapsulation (GRE), Cisco Smart Install (SMI), and Simple Network Management Protocol (SNMP) enabled network devices such as router, switch, firewall, and Network-based Intrusion Detection System, was the result of joint analysis from the Department of Homeland Security, the FBI, and the United Kingdom’s National Cyber Security Centre. Targets were described as “primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors.”

“FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations,” US-CERT said.

The government urged everyone from vendors to small home businesses to assess weak protocols and service ports as “the current state of U.S. network devices — coupled with a Russian government campaign to exploit these devices — threatens the safety, security, and economic well-being of the United States.”

Russian cyber actors “do not need to leverage zero-day vulnerabilities or install malware to exploit” routers, the alert said, but take advantage of these vulnerabilities: “devices with legacy unencrypted protocols or unauthenticated services, devices insufficiently hardened before installation, and devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).”

“These factors allow for both intermittent and persistent access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population… Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.”

The hackers are mainly gaining access to routers through easily swiping credentials that are poorly secured through weak passwords, though occasional “brute-force attacks” have obtained login credentials.

A month ago, US-CERT issued a joint DHS-FBI analysis on “Russian government actions targeting U.S. government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” said the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

The agencies assessed that Russia has been targeting the critical U.S. infrastructure centers since March 2016.

“This campaign comprises two distinct categories of victims: staging and intended targets,” reports US-CERT. “The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as ‘staging targets’ throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the ‘intended target.’”

A variety of access methods are being used in the attack, including spear-phishing emails from a compromised legitimate account, watering-hole domains (infecting websites the target is known to visit), credential gathering, open-source and network reconnaissance, host-based exploitation, and targeting industrial control system (ICS) infrastructure.

“The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets,” the alert said. “DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations.”

“These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”

Hackers have also attempted to “remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections.”