US, UK, and Australian governments accuse Russia of targeting networking infrastructure

Graham Cluley

April 17, 2018

US, UK, and Australian governments accuse Russia of targeting networking infrastructure

Government departments and private businesses are being targeted in internet attacks orchestrated by the Russian government, exploiting commercially available network infrastructure.

That’s the claim contained in a warning issued by the United States, United Kingdom, and Australia, saying that since 2015 large numbers of enterprise-class and consumer routers, switches, firewalls, and Network-based Intrusion Detection Systems have been compromised to further the national security and economic goals of Russia.

A joint technical alert issued by the US Department of Homeland Security (DHS) and the UK’s National Cyber Security Centre (NCSC), and backed by the Australian government, warns that network devices are particularly attractive targets for attack because of the data that passes through them, opening opportunities to monitor and interfere with data travelling to and from an organisation.

And the consequences can be serious.  Not only might there be opportunities to exploit legacy systems that use unencrypted protocols to scoop up passwords, but also a malicious hacker could conduct a man-in-the-middle attack to spy more generally, extracting intellectual property, and maintain persistent access to a victim’s network.

Perhaps most worryingly, manipulated messages sent via a hijacked router in an industrial control system (as might be seen at a manufacturing or energy plant, for instance) could result in the loss of service or physical damage.

White House cybersecurity chief Rob Joyce described such threats as “a tremendous weapon in the hands of an adversary.”

And that’s why the US, British, and Australian governments are urging those tasked with defending networks to take action now, and mitigate against further exploitation of systems.

According to the warnings, Russian-backed hackers have targeted routers running out-of-date firmware, with misconfigured settings, or relying upon weak credentials for their security.  In many cases the attacks have taken advantage of vulnerabilities in the Telnet, TFTP, SNMP, and SMI (Smart Install) protocols.

Specifically, the alert warns that malicious hackers are using SIET (Smart Installation Exploitation Tool) that was published on the internet in 2016 and allows for simple exploitation of Cisco routers with misconfigured SMI clients.

Cisco warned earlier this year of a “significant increase” in probes attempting to discover devices which had left SMI enabled without proper security controls, and has published further best practice guidance in light of this week’s government warnings.

Of course, we would be naïve to think that Russia is the only party interested in hijacking weakly-defended networking infrastructure.  Criminal gangs, intelligence agenices, and other nation states (including, almost certainly, those who have raised the alarm about Russia) are just as aware of what they can achieve by “owning the router.”

But whoever is behind the attacks shouldn’t really matter that much to most of us in business.  Warnings like that issued this week act as a timely reminder to both businesses and network infrastructure manufacturers to tighten their security, and harden systems against exploitation.

You don’t know where your attack might come from.  But you can take steps to defend your organisation against the most pernicious threats.

Be sure to read the technical alert, which contains indicators of compromise (IOCs), and more technical details on the techniques being used by attackers on compromised networks.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like