Alert (TA18-106A): Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

U.S. Department of Homeland Security ^ | April 16, 2018 | US-CERT

[COBOL2Java]

Systems Affected

• Generic Routing Encapsulation (GRE) Enabled Devices
• Cisco Smart Install (SMI) Enabled Devices
• Simple Network Management Protocol (SNMP) Enabled Network Devices

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.

DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States.

[COBOL2Java]

The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity.

Further details at the site.

[Retvet]

One more danger of an insecure internet. Computers do to irresponsibility are a bigger threat to civilized society than an aide.

[Hostage]

Good stuff, thank you.

[Terry L Smith]

Thanks for posting.

However, with the digital gangbang suffered via the Chinese hacking the Office of Personnel Management, the Veterans Administration, Yahoo, and now with the Zuckerberg operation, I am assured that the Russians “are too late to the party”.

[Lurker]

Cisco devices. Interesting.

L

[COBOL2Java]

One more danger of an insecure internet. Computers do to irresponsibility are a bigger threat to civilized society than an aide.

Plug-n-play routers! A wardriver's dream!

ID: admin
Password: password

Woo hoo!

All ports open? Yeah, baby!

[Mariner]

If these network devices were properly configured to begin with, there would be no issue.

Unfortunately, many of the idiots responsible for proper configurations and security practices are also responsible for the network that runs critical infrastructure.

Power, Sewer, Water, Communications, Banking etc.