The U.S. and UK released a joint statement accusing Russia of sponsoring groups attacking routers, switches, firewalls, and Network-based Intrusion Detection Systems (NIDS) devices in a campaign that "threatens the safety, security, and economic well-being of the United States."
The statement was issued by the U.S. Computer Emergency Readiness Team (CERT) and based on intel from the FBI, Department of Homeland Security (DHS), and the UK's National Cyber Security Centre (NCSC). In the statement, CERT urged readers to "act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations."
The U.S. is said to have received information about these attacks starting in 2015. Attackers don't seem to be using zero-day vulnerabilities to compromise their targets. Instead, they prey on devices that weren't properly set up, are no longer supported by their manufacturers, or rely on unencrypted protocols. Russia isn't discovering new vulnerabilities; it's merely exploiting carelessness and obsolescence.
According to CERT, the attackers use these weaknesses to:
- identify vulnerable devices;
- extract device configurations;
- map internal network architectures;
- harvest login credentials;
- masquerade as privileged users;
- device firmware,
- operating systems,
- configurations; and
- copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.
The end result: "[...] both intermittent and persistent access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population." Russia could use this access for its own financial gain--or simply to conduct more devastating attacks on the U.S. As long as the attackers have access to these networks, the U.S. will remain vulnerable to attacks that will arrive with little to no warning.
There's No Easy Fix
Unfortunately, recognizing a problem doesn't automatically solve it. CERT said in its statement that many different groups have to come together to help defend against these attacks. That includes manufacturers, security vendors, ISPs, and network owners and operators, among others. Getting all of those organizations to agree on a course of action, let alone spring into action, will probably be a Herculean task.
The reality is that none of these organizations use outdated and insecure technology out of a sense of nostalgia. They're driven primarily by economic factors--replacing network systems is expensive, for example--and the feasibility of integrating new technology into their systems. Unless they coordinate their efforts, each group's efforts to respond to CERT's warning will address only one part of a much larger problem.