Malicious cyber actors carried out by the Russian Government are targeting network infrastructure devices (e.g., routers, switches, firewalls, Network-based Intrusion Detection System (NIDS) devices).
The dire warning and latest joint Technical Alert (TA) was issued on Monday by The Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the United Kingdom’s (UK) National Cyber Security Centre (NCSC). The U.S. Government refers to malicious cyber activity by the Russian government as GRIZZLY STEPPE.
The alert provides details on how Russian state-sponsored hackers are exploiting network infrastructure devices and targeting primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors.
An excerpt from the alert (TA18-106A):
 “The report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union…This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.”
The TA includes common network device control weaknesses such as:
- Devices with legacy unencrypted protocols or unauthenticated services.
- Devices insufficiently hardened before installation.
- Devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).
Furthermore, once hackers own the routers, they own the traffic according to the experts: “A malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.”
Unencrypted or weak protocols used by systems or apps within the internal network then make it easy for cyber actors to harvest credentials.
Since network devices are often easy targets, network admins should take extra precaution to keep firmware and software up to date and ensure devices are hardened (to include removal of legacy, insecure protocols, disable unneeded services and strong authentication).
It is also worth noting the latest warning comes just a month after previous alert (TA18-074A) of Russian Government cyber activity that has been targeting energy and other critical infrastructure sectors.