UK NCSC, DHS and the FBI Warn of Russian hacking campaign on Western networks

Pierluigi Paganini April 17, 2018

UK NCSC, DHS, and the FBI warn of Russian hacking campaign on Western networks, state-sponsored hackers are targeting network infrastructure key components.

US and Britain government agencies warn of Russian state-sponsored cyber attacks to compromise government and business networking equipment. Russian hackers aim to control the data flaw “to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,”

The operation was “to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” Washington and London said in a joint statement.

“Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” reads a joint statement issued by UK and US Goverments.

“Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.”

According to the US DHS, the campaign is part of well known Grizzly Steppe.

In December 2016, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published a Joint Analysis Report(JAR) that provided information about the tools, infrastructure and TTPs used by the Russian civilian and military intelligence Services (RIS) against United States election.

U.S. Government linked the cyber activity to a Russian threat actor designated as GRIZZLY STEPPE.  It was the first time that the JAR attributed a malicious cyber activity to specific countries or threat actors.

The JAR reports the activity of two different RIS actors, the APT28 and the APT29, that participated in the cyber attacks on a US political party. The APT29 known as (Cozy Bear, Office Monkeys, CozyCar, The Dukes and CozyDuke) broke into the party’s systems in summer 2015. The APT28 known as (Fancy BearPawn StormSofacy Group, Sednit and STRONTIUM) entered in spring 2016.

Back to the present, the new alert was issued by Britain’s  National Cyber Security Centre, DHS and the US Federal Bureau of Investigation.

Russian hacking espionage

The alert came from the UK National Cyber Security Centre, DHS and the US Federal Bureau of Investigation, the government agencies believe hackers could compromise Western critical infrastructures like power grids and water utilities.

Hackers specifically target routers, switches and firewalls with the intent to compromise the target networks to control traffic and manipulate it for espionage and to deliver malware.

“Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners.” states the report.

“This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims.

According to the report, Russian threat actors attempt to exploit flaws in legacy systems or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to

  • identify vulnerable devices;
  • extract device configurations;
  • map internal network architectures;
  • harvest login credentials;
  • masquerade as privileged users;
  • modify
    • device firmware,
    • operating systems,
    • configurations; and
  • copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.

The experts explained that threat actors behind the Russian hacking campaign do not need to leverage zero-day vulnerabilities or install malware to compromise networking devices. In most cases, Russian hackers exploited the following issues:

  • devices with legacy unencrypted protocols or unauthenticated services,
  • devices insufficiently hardened before installation, and
  • devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).

“FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.” states the alert.

The Government experts warn hackers are specifically targeting devices utilizing Generic Routing Encapsulation (GRE), Cisco Smart Install (SMI), and Simple Network Management Protocol (SNMP).

The main problem is that device administrators often fail to apply a robust configuration, in many cases, they leave default settings and fail to protect theri systems by for example by applying necessary patches.

In this scenario it is quite easy for threat actors to target networking infrastructure.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Russian hacking, state-sponsored hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment