Threat Advisory: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
April 17, 2018
A joint alert issued by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom's National Cyber Security Centre (NCSC) warns that Russian state-sponsored cyber actors are actively targeting home and enterprise routers.
Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide.
The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.
Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to:
- Identify vulnerable devices
- Extract device configurations
- Map internal network architectures
- Harvest login credentials
- Masquerade as privileged users
- Device firmware
- Operating systems
- Copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure
- Potentially modify or deny traffic traversing through the router
Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning include:
- Telnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.),
- Hypertext Transport Protocol (HTTP, port 80),
- Simple Network Management Protocol (SNMP, ports 161/162), and
- Cisco Smart Install (SMI port 4786).
Cyber actors masquerade as legitimate users to log into a device or establish a connection via a previously uploaded OS image with a backdoor. Once successfully logged into the device, cyber actors execute privileged commands. These cyber actors create a man-in-the-middle scenario that allows them to:
- Extract additional configuration information,
- Export the OS image file to an externally located cyber actor-controlled FTP server,
- Modify device configurations,
- Create Generic Routing Encapsulation (GRE) tunnels, or
- Mirror or redirect network traffic through other network infrastructure they control.
Russian cyber actors were also observed using a Smart Install Exploitation Tool (SIET).
- SMI is an unauthenticated management protocol developed by Cisco. This protocol supports a feature that allows network administrators to download or overwrite any file on any Cisco router or switch that supports this feature. This feature is designed to enable network administrators to remotely install and configure new devices and install new OS files.
- SIET can be leveraged to abuse SMI to download current configuration files. Of concern, any actor may leverage this capability to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Additionally, these network devices have writeable file structures where malware for other platforms may be stored to support lateral movement throughout the targeted network.
To properly address this threat and secure your environment, we recommend the following:
- Ensure that management interfaces for network infrastructure is not Internet-facing.
- Change default passwords and enforce a strong password policy.
- Disable unused services such as Telnet, SNMPv1 and v2c, Cisco Smart Install client, etc.
- Review network device logs and netflow data for indications of suspicious TCP Telnet-protocol traffic directed at port 23 on all network device hosts.
- Review network device logs and netflow data for indications of suspicious UDP SNMP traffic directed at port 161/162 on all network-device hosts.
- Inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.
For more details on this threat alert, please take a look at the resources below:
- Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
- US, UK Accuse Russia of Hacking Home Routers and ISPs to Conduct MitM Attacks
- Russia Accused of Global Net Hack Attacks
- Aussie Firms Targeted by Russian State Hackers
To learn more about how Herjavec Group can help you secure your environment, please connect with a security specialist.
Herjavec Group circulates US – Cert advisories as this notification warrants attention and may have significance to your Enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.