Security agencies warn of Russian cyber campaign against company networks

UK and US security agencies have alerted governments and private companies to a global, state-sponsored hacking campaign on network infrastructure thought to coming from Russia.

The FBI, Department for Homeland Security (DHS) and the National Cyber Security Centre (NCSC) issued a joint Technical Alert on Monday describing a Russian-backed assault on routers, switches, firewalls and other network-based systems in an attempt to launch man-in-the-middle attacks.

"[The] FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations," the alert read.

Reports compiled over the past three years have demonstrated that criminals are exploiting "large numbers of enterprise-class and SOHO/residential routers and switches worldwide".

Early analysis of the campaign has identified targets to primarily be government and private sector organisations, although those providing critical network infrastructure and internet services providers have also been hit by the attack, US authorities said.

It's thought that Russian cyber criminals have been able to exploit vulnerable or weak security protocols on infrastructure equipment, allowing them to map the entirety of a network.

Once inside, hackers have been found masquerading as privileged users, harvesting login credentials and device information, and even redirecting network traffic through criminal-controlled infrastructure.

Routers, switches and other such network hardware are proving to be popular targets for hackers as most or all organisational or customer traffic must be funnelled through these devices, the alert explained. Once installed into a system, these devices are rarely maintained to the same degree as other IT hardware, and few are protected by antivirus software or regular patches.

"An actor controlling a router between Industrial Control Systems Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure such as the energy sector can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network," the alert added.

The alert also offers some general advice on how to mitigate these styles of attacks, including the changing of any default passwords associated with a new device and the implementation of two-factor authentication.

However, specific advice has also been given to manufacturers, security vendors and ISPs, mostly in an attempt to force a move away from the use of legacy equipment or older protocol standards. It also warns that network operators should look out for malicious activity, and ensure that network devices are configured in a way that blocks unencrypted traffic from heading to external internet-based hosts.

The alert comes months after UK defence secretary Gavin Williamson suggested that a Russian cyber attack against Britain's infrastructure could cause "total chaos".

The NCSC also warned last week that the scale and severity of the threats facing UK businesses were "bigger than ever", and that it was highly likely 2018 would bring further attacks in the form of exploits to IoT devices and hacks on cloud services.

Image: Shutterstock

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.