In an unusual escalation, the US and UK governments have released analysis that directly accuses the Kremlin of a huge scale cyber-campaign, aimed at compromising vast numbers of network devices.
In a statement, the United Kingdom's National Cyber Security Centre (NCSC), the US Department of Homeland Security (DHS) and its Federal Bureau of Investigation (FBI) said that over the last three years, officially sanctioned Russian hackers have been methodically compromising “network infrastructure devices worldwide such as routers, switches, firewalls, network intrusion detection systems”.
“Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle' attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations.
“The current state of US and UK network devices, coupled with a Russian government campaign to exploit these devices, threatens our respective safety, security, and economic wellbeing.”
The timing of the announcement clearly reflects a loss of patience with Russia's cyber-campaigns and potentially represents a widening gap between the US and its allies and the Kremlin.
Gavin Millard, technical director, Tenable, pointed out that some of the issues highlighted in the statement are down to lax security management rather than ingenuity on the part of the attackers: “Irrelevant of who the threat actors are or their motivations, the existence of an easily exploited vulnerability on critical infrastructure connected to the internet should be addressed immediately. As stated in the technical alert, if a threat actor can gain privileged access to a router, the options for further exploitation are endless.
“It's important to note, even though the recently disclosed Cisco Smart Install vulnerability doesn't affect routers, unfortunately there are over 100,000 switches that could be vulnerable currently exposed to the internet. Similar to MS17-10, the vulnerability in SMBv1 leveraged for the global Wannacry attack, these flaws affect protocols that should never be exposed to the internet but frequently are due to a lack of basic security hygiene.
“Owners and operators of MOXA EDR-810 industrial routers, frequently deployed to secure highly critical environments, should take particular note of this advisory as a slew of recently disclosed vulnerabilities could lead to many of the issues outlined.
“The guide from the joint task force includes some good best practices that should be enforced to reduce the chance of a router falling under the control of an attacker, irrelevant of their country of origin or motivation. Continuous visibility of what corporate systems are exposed to the internet, how well they are configured against security best practices (CIS or NIST for example), and whether they are affected by any known vulnerabilities should be part of every robust security program.”
Indeed, the statement specifically notes that zero-day attacks and malware are often not required, stating that “Russian cyber-actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber-actors take advantage of the following vulnerabilities:
- devices with legacy unencrypted protocols or unauthenticated services,
- devices insufficiently hardened before installation, and
- devices no longer supported with security patches by manufacturers or vendors (end-of-life devices)
Pedro Abreu, chief strategy officer, ForeScout said that the sheer diversity of devices online has contributed to creating a very broad attack surface for hackers. “By targeting routers, switches and firewalls from all manner of networks, some nation-states are taking advantage of the explosive growth and diversity of devices. We consistently find organisations miss up to 60 per cent of the devices on their networks. And what's really alarming is that they aren't just targeting traditional computing equipment like switches and routers, but Internet of Things devices like video surveillance cameras, access control systems, even industrial systems.
"These devices are difficult to secure for a number of reasons. Left invisible and unprotected, these devices provide adversaries an easy entry point which they can then use to execute behaviours that range from stealing data to disruption of operations or even destruction of infrastructure.”
Of course, it is not only Russia that has been intensively developing cyber-offensive capabilities. Just last week current head of GCHQ, Jeremy Fleming, used his maiden public speech to announce the UK's capability was used against the Islamic State's propaganda machine - the first official admission that such offensive capabilities exist.
Simon Townsend, CTO, Ivanti said: “Increasingly, nation-state hackers are using powerful and sophisticated techniques to target not just government institutions, but businesses with the intent to destabilise and disrupt and leak confidential information. The common cyber-criminal is learning quickly from these more “military-grade” cyber-weapons, causing the gap between nation-state attacks and other forms of cyber-crime to close quickly.
“To defend against these attacks, any organisation with sensitive information or valuable IP needs to remain vigilant. They need to know what kind of information is stored on their systems and passing through their networks. They need to consider the origin of vendors they do business with, and carefully vet any new technology that they acquire from companies based in the nations that pose the greatest threats. They need to isolate internal networks from the Internet if access isn't required. They need to diligently deploy cyber-security defence-in-depth best practices in order to know exactly what is going on in their environment, and to reduce their attack surface, detect attacks that do get through, and take rapid action to contain malicious activity and vulnerabilities.”
Speaking on BBC Radio 4 this morning, NCSC head Ciaran Martin pointed out that the intrusions by Russia currently presented a risk, rather than necessarily having actually caused any harm.