The United States Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) released a joint Technical Alert about malicious cyber activity carried out by the Russian Government.
The US and Uk say targets of this malicious cyber activity are primarily government and the private sector, critical infrastructure, and the internet service providers (ISPs) supporting these sectors. Cyber exploits are directed at network infrastructure devices such as routers, switches, firewalls, and the Network Intrusion Detection System (NIDS).
Network device vendors, ISPs, public and private sector and small-office and home-office customers should read the alert (TA18-106A) and act on the recommended mitigation strategies, the authorities say. The alert contains indicators of compromise, technical details on the tactics, techniques and procedures (TTPs), and contextual information regarding observed behaviors on the networks of compromised victims.
They add that Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations. Multiple sources, including private and public-sector cyber security research organisations and allies, have reported this activity to the US and UK governments.
Ciaran Martin, CEO of the National Cyber Security Centre called Russia ‘our most capable hostile adversary in cyberspace’ and said tackling them is a major priority for the NCSC and US allies. “This is the first time that in attributing a cyber attack to Russia the US and the UK have, at the same time, issued joint advice to industry about how to manage the risks from the attack. It marks an important step in our fight back against state-sponsored aggression in cyberspace. For over 20 years, GCHQ has been tracking the key Russian cyber attack groups and today’s joint UK-US alert shows that the threat has not gone away. The UK government will continue to work with the U.S., other international allies and industry partners to expose Russia’s unacceptable cyber behaviour, so they are held accountable for their actions.
“Many of the techniques used by Russia exploit basic weaknesses in network systems. The NCSC is leading the way globally to automate defences at scale to take away some of those basic attacks, thereby allowing us to focus on the most potent threats.”
Comments
Anthony Chadd, Senior director, EMEA, Neustar said the warnings on the probability of Kremlin-backed cyber-experts sitting invisibly on networks with the hope of collecting information, should come as no surprise.
“We are already aware that the Russians are armed with the vast capabilities, resources and motives to steal classified information from governments, and are able to unleash disruption to key industries globally. But today’s news highlights the increasing intensity of the Russian offensive, as it has been revealed that Kremlin cyber-experts have been proactively targeting routers in British homes, scanning for weaknesses such as obvious passwords and expired anti-virus software.
“With such an obvious imposition on US and UK security, it is of the greatest importance that the push for key industries to strengthen their cyber-defences are put in place – fast. This includes deploying efficient technologies and ensuring key processes are up to scratch. However, these marching orders should not just apply to the government, but also society as whole. Every citizen should be proactive in their own cyber-defence, but US and UK governments must make educating the general public a priority, reinforcing the necessity for effective usernames and passwords to prevent their data getting into the wrong hands.”
To be proactive in cyber defences, citizens and businesses should be aware of the importance of securing any IoT (Internet of Things) devices, as a crucial first point of defence, he added. “This involves ensuring that the proper procedures are in place and that anti-virus software in every device is updated frequently.”
And Gavin Millard, technical director, Tenable said: “Irrelevant of who the threat actors are or their motivations, the existence of an easily exploited vulnerability on critical infrastructure connected to the internet should be addressed immediately. As stated in the technical alert, if a threat actor can gain privileged access to a router, the options for further exploitation are endless.
“It’s important to note, even though the recently disclosed Cisco Smart Install vulnerability doesn’t affect routers, unfortunately there are over 100,000 switches that could be vulnerable currently exposed to the internet. Similar to MS17-10, the vulnerability in SMBv1 leveraged for the global Wannacry attack, these flaws affect protocols that should never be exposed to the internet but frequently are due to a lack of basic security hygiene.
“Owners and operators of MOXA EDR-810 industrial routers, frequently deployed to secure highly critical environments, should take particular note of this advisory as a slew of recently disclosed vulnerabilities could lead to many of the issues outlined.
“The guide from the joint task force includes some good best practices that should be enforced to reduce the chance of a router falling under the control of an attacker, irrelevant of their country of origin or motivation.”
