With partners the UK official National Cyber Security Centre (NCSC) – a part of the Government monitoring agency GCHQ – has published an advisory on the methods of Russia’s Federal Security Service (FSB) Centre 16 cyber actors. The NCSC says they are exploiting vulnerable routers and opportunistically targeting networks belonging to critical national infrastructure (CNI) globally.
In more detail, Centre 16, also known as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra, has been seen hunting for vulnerable routers by scanning the internet for devices that still use default or weak Simple Network Management Protocol (SNMP) passwords. Jonathon Ellison, NCSC Director of National Resilience, described the joint advisory as providing decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations. He said: “The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter. I’d strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise.”
For the advisory in full visit the US CISA (Cybersecurity and Infrastructure Security Agency) website.
Comments
Graham Taylor CBE, Director Defence Strategy for Northern Europe at the platform OPSWAT, said: “Legacy Simple Network Management Protocol (SNMP) is often more prevalent in critical infrastructure environments because organisations operate long-lived OT and industrial equipment that may remain in service for 15–30 years, with some older network devices only supporting SNMPv1/v2c. Legacy SNMP versions rely on community strings for access control rather than the strong authentication and encryption mechanisms provided by SNMPv3. As highlighted by the NCSC, Russian threat actors scan the internet for devices using weak or default SNMP community strings and passwords to identify vulnerable routers.
“The NCSC advises critical infrastructure organisations to restrict access to management protocols through appropriate access controls. Beyond securing network management interfaces, organisations should ensure secure transfer of data both within and across OT to IT and air-gapped environments. Implementing secure file transfer technologies, together with file inspection and malware scanning, can help prevent malicious payloads from entering critical systems via trusted data exchanges.”
And Daniel dos Santos, Senior, Director, Head of Research at Forescout, said: “The new advisory is very relevant as we have been reporting increasing targeting of network infrastructure devices, such as routers, firewalls and VPN appliances for a few years. These devices accounted for 3pc of exploits we observed in 2022 but are now 19 per cent and they consistently appear as the riskiest device categories. What stands out as a distinctive technique in this advisory is the use of Simple Network Management Protocol (SNMP)scanning. Last year, we exposed industrial routers as honeypots to capture attacker behaviour and noticed that 97 per cent of interactions with the exposed devices were SNMP requests.
“Attackers are well aware of the weak points that can be exploited in these devices, therefore organizations need to ensure they follow the mitigation recommendations laid out in the advisory such as using newer versions with SNMP, employing strong authentication with unique passwords, restricting access to management protocols and using latest firmware versions to patch vulnerabilities. What the advisory does not detail, however, is that in order to apply these mitigations, organizations need to have a precise and continuously updated asset inventory. It’s not possible to patch a device or restrict access to it if you don’t first know that it is present on the network.”




