Router

A joint alert issued by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom's National Cyber Security Centre (NCSC) warns that Russian state-sponsored cyber actors are actively targeting home and enterprise routers.

US and UK officials say Russian state-sponsored hackers have been historically targeting Internet routing equipment in order "to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations."

Routers targeted because they're easy to hack

Authorities have been tracking attacks dating back to 2016, a  joint Technical Alert (TA) published on the US-CERT website today revealed.

"Network devices are ideal targets," the alert reads. "Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization."

"Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network," officials warned.

Hacks leveraged default creds, misconfigured devices, old flaws

At the technical level, attacks varied in methodology, scope, and purpose. Officials said Russian actors have exploited routers with outdated firmware, weak credentials, and misconfigured features to gain a foothold on vulnerable devices.

Hacked devices ranged from small home routers to ISP-grade routers and firewalls, with attackers trying to hoard as many systems as possible.

Attack vectors include Telnet, TFTP, SNMP, and SMI —protocols often found on routers, known to include vulnerabilities and easy to botch configuration options.

The US & UK alert specifically mentions an exploitation tool called SIET (Smart Install Exploitation Tool) that was posted online in November 2016. This tool allows for easy exploitation of Cisco routers with misconfigured Smart Install (SMI) clients. Cisco recently warned that threat actors have started abusing this protocol.

Hacking routers is a recent trend among cyber-espionage groups

During a webinar last week, Kaspersky Labs expert Costin Raiu pointed out that routers have become a common target for cyber-espionage groups, who are using them to infect users, or as a giant proxy network to hide their tracks.

The joint alert [1, 2] contains a description of a basic attack, advice for securing routers, but also indicators of compromise for known infections and threat actors.

The US, the UK, Canada, Australia, and New Zealand have recently formally accused Russia of orchestrating the NotPetya ransomware outbreak. The US also imposed sanctions on Russia for the NotPetya ransomware outbreak, cyber-attacks on the US power grid, and their attempts to influence the 2016 US presidential election process.

Related Articles:

Nation-State Group Hacked 500,000 Routers to Prepare a Cyber-Attack on Ukraine

USA Sanctions Russian Entities Over Alleged Ties to Russian FSB

FBI Takes Control of APT28's VPNFilter Botnet

5,000 Routers With No Telnet Password. Nothing to See Here! Move Along!

APT28 Hackers Caught Hijacking Legitimate LoJack Software