The Department of Homeland Security, FBI and National Cyber Security Centre (NCSC) have released a joint Technical Alert warning Russia has sponsored a series of cyber intrusions that threatened home and business routers.
The extent of the alleged Russian footprint is unknown for the moment, though the primary targets are primarily government and private-sector organisations, critical infrastructure providers, and the ISPs supporting these sectors. Although this is the first time specific guidance has been released, the US and UK have been warning for months Russia could be targeting electricity grids and other infrastructure such as banks, hospitals and air traffic control systems.
“Russian government activities continue to threaten our respective safety, security, and the very integrity of our cyber ecosystem,” said Jeanette Manfra of Homeland Security. “We call on all responsible nations to use their resources – including diplomatic, law enforcement, technical, and other means – to address the Russian cyber threat.”
“Russia is our most capable hostile adversary in cyberspace so tackling them is a major priority for the National Cyber Security Centre and our US allies,” said Ciaran Martin, CEO of the National Cyber Security Centre. “For over twenty years, GCHQ has been tracking the key Russian cyber-attack groups and today’s joint UK-U.S. alert shows that the threat has not gone away.”
The Technical Alert (TA) warns the nefarious activity has been on-going since 2015, with the aim to aid Russian espionage actions while also contributing to intellectual property which fuels certain areas of the Russian economy. The state-sponsored hackers target enterprise-class and residential routers and switches, without any national prejudice; this seems to be a mine-sweep for information, not aggression against any one nation.
Network devices are noted as the perfect target here, as the TA notes once a hacker owns the routers, he/she also owns all the traffic which passes through the device. Maintaining a presence on the router not only allows the hacker to monitor information which passes through the device, but also control it. Information could be modified or even denied passageway through the gateway. The attacks, known as ‘Man-in-the-middle’, can support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.
Above all else, these devices are easy to manipulate on a mass-scale. Once installed, rarely are these devices maintained at the same security level as other general-purpose desktops and servers, or replaced by the ISP when a relationship with a vendor ends. It is also the last place users generally look when there has been a breach or hack. Most of time routers are hidden away and never touched unless services are down. It is an easy target for hackers whose objectives will be based on quantity as well as quality.
The TA now recommends ISPs do not field equipment in the network core or to customer premises with legacy, unencrypted, or unauthenticated protocols and services, while also disabling any equipment or services which might be deemed as legacy or unencrypted. This could potentially cause a massive disruption to some ISPs who have not travelled as far along the modernization journey as others, but will also cause some significant headaches from an inventory perspective. Perhaps we are about to find out which ISPs have a handle on what equipment is in the field and what condition it is in.
One interesting question will be how seriously the telcos take this threat. There will be legacy and unencrypted equipment in the field, as well as equipment no longer supported by the vendor with software updates and security patches, or products from vendors which no-longer feature in the supply chain. On the advice from the TA, all this equipment should be upgraded or replaced, which would not be a cheap exercise, but how many telcos will actually follow the expensive advice.
While the threat of cyber espionage is of course worrying, this is another scenario which can be added onto the list for those who are fighting against globalization trends. In the US, we have already seen various tariffs and penalties imposed on Chinese companies, for right and wrong reasons, a threat from Russia and its intelligence agencies will create further fear and encourage some nations to close borders (both physical and digital) further.
For more specific guidance on how to tackle the threat, you can follow this link.