Russian Cyber Actors Preying on Network Devices, Authorities Warn

Russian state-sponsored cyber actors are exploiting routers and other network infrastructure devices worldwide to conduct man-in-the-middle attacks that specifically target critical infrastructure providers and other sectors, the U.S. Department of Homeland Security (DHS), the FBI, and the UK’s National Cyber Security Centre (NCSC) warned in a new joint technical alert.

In the U.S. Computer Emergency Readiness Team (US-CERT) report issued on April 16, and revised on April 18,  the FBI explicitly emphasizes it has “high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.”

The report, a result of analytic efforts by the U.S. and UK entities that identifies victims through a coordinated series of actions between U.S. and international partners, urges readers to act on past alerts and advisories issued by the U.S., the UK, and “allied governments,” along with reports issued by network device manufacturers and private sector security organizations.

“The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States,” it warns.

Network Devices Are Vulnerable

The report cautions that most or all organizational and customer traffic must traverse network infrastructure devices—which include routers, switches, firewalls, and network-based intrusion detection system (NIDS) devices. But they are easy targets because many are “not maintained at the same security level as other general-purpose desktops and servers.” It warns that a malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.

Particularly vulnerable are “organizations that use legacy, unencrypted protocols to manage hosts and services” because they make successful credential harvesting easy for these actors. For the power sector, as well as other critical infrastructure sectors, the warning is especially dire considering that an actor controlling a router between industrial control systems-Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers “can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network,” it says.

Manufacturers build and distribute network devices with exploitable services to ease installation, operation, and maintenance, and owners and operators of these devices often do not change vendor default settings, harden them for operation, or perform regular patching. As critically, “Owners and operators often overlook network devices when they investigate, examine for intruders, and restore general-purpose hosts after cyber intrusions,” it says.

How Attacks Can Be Carried Out

The report warns that Russian state-sponsored cyber actors have conducted “both broad-scale and targeted scanning of Internet address spaces.” That scanning allows them to identify internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices.

Specifically, commercial and government security groups identified “specially crafted” simple network management protocol (SNMP) and Cisco Smart Install (SMI) packets that trigger the scanned device to send its configuration file to a cyber-actor-controlled host via Trivial File Transfer Protocol (TFTP), User Datagram Protocol (UDP) port 69. “The configuration file contains a significant amount of information about the scanned device, including password hash values. These values allow cyber actors to derive legitimate credentials. The configuration file also contains SNMP community strings and other network information that allows the cyber actors to build network maps and facilitate future targeted exploitation,” it says.

Cyber actors then primarily masquerade as legitimate users to access routers, though in some cases, actors have used “brute-force” attacks to obtain Telnet and SSH login credentials. Once logged into a device, cyber actors could extract additional configuration information, export an operating system image file to an external cyber actor FTP server, modify device configurations, create Generic Routing Encapsulation (GRE) tunnels, or mirror and redirect network traffic through other network infrastructure they control.

The report outlines a number of solutions for Telnet, SNMP, SMI, and TFTP use along with mitigation strategies.

An Escalating Cyberwar

The joint alert is the latest in a string of worrisome discoveries concerning the tactics employed by state-sponsored actors aimed at compromising ICS and other critical infrastructure. In March, the DHS warned that Russian government cyber threat actors had infiltrated workstations and servers of corporate networks containing data output from ICS or SCADA systems associated with an unnamed number of power plants.

Industry, too, is increasingly perturbed by growing risks associated with cyberattacks. Siemens and a number of business partners recently established a “Charter of Trust,” to set minimum general standards for cybersecurity that keep up with requirements posed by modern technology. According to Siemens, while 8.4 billion networked devices were in use in 2017, experts estimate that 20.4 billion such devices will be in operation by 2020.

In the U.S., meanwhile, the Commerce Department’s National Institute of Standards and Technology (NIST) on April 16 released a revised version of a framework to improve critical infrastructure cybersecurity. Version 1.1 includes updates on authentication and identity; self-assessing cybersecurity risk; managing cybersecurity within the supply chain; and vulnerability disclosure.

The Department of Energy (DOE) on April 16 also made a $25 million funding opportunity announcement, seeking applications to conduct research and development in five areas, including cyber-secure cloud-based technologies in the operation technology environment.

Legislators, too, are scrambling to deal with rising threats. Over the past week, a new bipartisan bill was introduced in the House to respond to state-sponsored cyberattacks against the U.S., and the House Energy and Commerce subcommittee approved four bipartisan measures to elevate the DOE’s cyber response and engagement.

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)