The U.S. Computer Emergency Readiness Team issued an alert, warning American and British organizations that Russians are targeting their network infrastructure devices, such as routers.
The alert specified three types of devices that are being targeted:
- Generic Routing Encapsulation enabled devices
- Cisco Smart Install enabled devices
- Simple Network Management Protocol enabled devices
The joint technical alert is the result of work between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). The alert warns of worldwide cyber exploitation by Russian hackers of network infrastructure devices including routers, switches, firewalls, and network-based intrusion detection systems.
“FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks,” states the alert. These kinds of attacks intercept data traveling between computers and internet servers.
Targets are primarily government and private-sector organizations, critical infrastructure providers, and internet service providers (ISPs).
“The current state of U.S. network devices — coupled with a Russian government campaign to exploit these devices — threatens the safety, security, and economic well-being of the United States,” according to the alert.
The groups behind the technical alert said network devices are often easy targets. A number of factors contribute to the vulnerability of these devices, including the fact that manufacturers build devices with exploitable services to ease device installation, operation, and maintenance. Device owners do not change vendor default settings or perform regular patching. ISPs do not replace equipment on a customer’s property when that equipment is no longer supported by the manufacturer. And operators often overlook network devices when they investigate cyber intrusions.
Cisco, itself, recently issued a warning about the misuse of its Smart Install client. “Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol,” stated Cisco. “Some of these attacks are believed to be associated with nation-state actors.”
The lengthy technical alert from the U.S. Computer Emergency Readiness Team provides instructions to mitigate attacks.