This week, Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) sent out a technical alert (#TA18-106A) to “inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign”, most likely enacted by” Russian state-sponsored cyber actors”. (The technical alert states that the FBI has "high confidence" that Russia was behind the attacks, but no proof of this has been publicly provided as of yet.)

This alert details information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices), as well as how to “identify malicious activity, and reduce exposure to this activity”.

According to the alert, these attacks have been occurring since 2015. So far, the majority of the attacks have been primarily aimed at “government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors”. This includes the following (verbatim):

• Telnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.)
• Hypertext Transport Protocol (HTTP, port 80)
• Simple Network Management Protocol (SNMP, ports 161/162), and
• Cisco Smart Install software (SMI port 4786).

Cisco has recently warned users about vulnerabilities with their Smart Install client and has told users to patch and securely configure the software to protect against further attacks and intrusions. Other solutions are listed in the alert for the other protocols listed above. The alert says that “erratic hardware behavior” should signal a compromised device.

The “cyber actors” have been able to gain access through routers, switches, firewalls and network intrusion. The alert states that network devices are often easy targets for intrusions and attacks. The router attacks have consisted of "man-in-the-middle" attacks where data is intercepted for modification and/or redirection or extraction.

The technical alert states that the overall goal is to cripple cybersecurity, “support espionage, extract intellectual property and maintain persistent access to victim networks”, and possibly “lay a foundation for future offensive operations”.

To read more information from the technical alert, simply click here: Alert (TA18-106A); Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices