US, UK: Russian Hackers Deeply Embedded in Routers, SwitchesAdvice: Update Outdated Protocols, Equipment
The U.S. and U.K. warned Monday that Russian state-sponsored hackers have compromised critical internet infrastructure with the aim of spying, extracting intellectual property and gaining footholds for future cyberattacks.
The joint statement is the first time the two countries have together directly attributed cyberattacks to Russia. The warning came with detailed technical advice for how government agencies and private companies can defend equipment, including home office and enterprise routers and switches, allegedly targeted by Russia.
"We do not make this attribution lightly and will hold steadfast with our partners," says FBI Deputy Assistant Director Howard Marshall.
The targets of the Russian operations include government, private-sector organizations, critical infrastructure providers and ISPs.
Jeanette Manfra, the U.S. National Protection and Programs Directorate's assistant secretary for cybersecurity and communications, says Russia's activities threaten "the very integrity of our cyber ecosystem. We condemn this latest activity in the strongest possible terms, and we will not accept nor tolerate any malign foreign cyber operations, intrusions, or compromises - to include influence operations."
There are increasing worries over the vulnerability of critical infrastructure to cyberattacks. Many nations have embarked on projects designed to shore up the security of electricity suppliers, transportation networks and nuclear facilities.
"We do not make this attribution lightly and will hold steadfast with our partners."
—Howard Marshall, FBI deputy assistant director
Russia is one of the few countries suspected of carrying out cyberattacks that had kinetic effects, says Charles Carmakal, a vice president at Mandiant, FireEye's forensics arm. In 2015 and 2016, Ukrainian electricity providers went offline after a cyberattack against their systems, causing blackouts.
"Everybody knows Russia is considered to be one of the most elite cyber operators out there," Carmakal says. "They absolutely have the capability to cause significant destruction if they choose to do that."
Russia's targets have been routers, switches, firewalls and network intrusion detection systems. These critical systems and software are a pervasive part of internet infrastructure, responsible for transferring and filtering data traffic.
Most organizations - including security companies - spend very little time focusing on the security of routers, Carmakal says. "A lot of times people set up routers on day one, and they might configure it on day one, but beyond that, they don't really touch it," he says.
There's also a lack of tools to systematically check the integrity of routers across organizations or do forensic probes, Carmakal says. After an attack, the focus is usually on workstations, laptops and servers rather than trying to find back doors on routers or switches. There's no scalable way to do it, he says.
Companies often pay proper attention to their core switches and routers, but "it's every other device that they connect to the network that they forget about," Carmakal says.
Russia hasn't used exotic methods to gain a foothold. Instead, it has taken advantage of outdated protocols, the absence of encryption, incorrect configurations and unpatched devices.
"Many of the techniques used by Russia exploit basic weaknesses in network systems," says Ciaran Martin, CEO of the U.K.'s National Cyber Security Centre.
One technique used by Russia is man-in-the-middle attacks. That's where an adversary has compromised one end of a data exchange. By sitting "in the middle," the attacker has a full view of the data passing by.
"Organizations that use legacy, unencrypted protocols to manage hosts and services make successful credential harvesting easy for these actors," according to the technical advisory, which was compiled by the U.S. Department of Homeland Security, FBI and the NCSC.
The weak or outdated devices are found by scanning the internet and "fingerprinting" devices, the advisory says. Attackers hunt for devices that respond to protocols such as telnet, http, simple network management protocol and Cisco Smart Install.
Sometimes, brute-force attacks are used to obtain telnet or secure shell credentials. But it's mostly inattentive credential management that provides a way in.
"Organizations that permit default or commonly used passwords, have weak password policies or permit passwords that can be derived from credential harvesting activities, allow cyber actors to easily guess or access legitimate user credentials," the advisory says.
Check Router Configurations
Russia has been using a tool to exploit SMI, which is an unauthenticated management protocol from Cisco, according to the advisory. Network admins use SMI to replace or overwrite files on a router or switch, which allows for remote administration and installation of new OS files.
But in November 2016, a hacking tool dubbed the Smart Install Exploitation tool was released. It takes advantage of the lack of authentication in SMI. "Commercial and government security organizations have noted that Russian state-sponsored cyber actors have leveraged the SIET to abuse SMI to download current configuration files," the advisory says.
The advisory also mentions as targets Juniper's JUNOS product line and Microtik, another router manufacturer. It warned that the configuration files should be checked for signs of possible tampering.
"Russian state-sponsored cyber actors could potentially target the network devices from other manufacturers," it warns. "Therefore, operators and owners should review the documentation associated with the make and model they have in operation to identify strings associated with administrative functions."