On April 16 2018, the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) issued a joint Technical Alert. Collating information on the global cyber-exploitation of network infrastructure devices, it outlines new methods Russian state-sponsored cyber actors are using to exploit victim networks.
According to the report, the targets of this activity are primarily government and private sector organisations, critical infrastructure providers, and the Internet Service Providers (ISPs) that support these sectors. It also outlines that the FBI and NCSC have high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct so-called ‘man in the middle’ attacks.
These attacks are a serious concern and are designed to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.
As part of these attacks, Russian cyber actors are leveraging legacy or weak protocols/service ports associated with network administration activities to:
They’re achieving this by taking advantage of devices with legacy unencrypted protocols or unauthenticated services, along with devices that haven’t been sufficiently hardened before installation and those which are no longer supported with security patches by manufacturers or vendors.
In a critical infrastructure setting, it’s clear how dangerous this could be. For example, an actor controlling a router between Industrial Control Systems can manipulate the messages, creating dangerous configuration that could lead to loss of service or even physical destruction.
Networking devices, primarily Cisco, Juniper and MikroTik switches and routers are the current target. The exposed protocols being targeted include:
It’s vital to immediately examine your estate for vulnerable, exposed services. Action should also be taken to ensure the integrity of both the device and your network in the event of any of the following:
Similarly, it’s also important to:
From here, follow your Incident Response process, making sure to take into account all the advice you’ve received from vendors and suppliers. It’s also important to assess what credentials and other sensitive information or data may have been exposed, and to review your entire estate for problems on other devices. It’s then, of course, vital that you respond accordingly, based on what your investigations uncover.
To receive information about the latest developments on this threat and other key security stories evaluated by our security analysts around the clock, sign up to our daily threat intelligence alert service.