US & UK: Russia Is Attacking Network Infrastructure Devices

The U.S. and UK released a joint statement accusing Russia of sponsoring groups attacking routers, switches, firewalls, and Network-based Intrusion Detection Systems (NIDS) devices in a campaign that "threatens the safety, security, and economic well-being of the United States."

The statement was issued by the U.S. Computer Emergency Readiness Team (CERT) and based on intel from the FBI, Department of Homeland Security (DHS), and the UK's National Cyber Security Centre (NCSC). In the statement, CERT urged readers to "act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations."

The U.S. is said to have received information about these attacks starting in 2015. Attackers don't seem to be using zero-day vulnerabilities to compromise their targets. Instead, they prey on devices that weren't properly set up, are no longer supported by their manufacturers, or rely on unencrypted protocols. Russia isn't discovering new vulnerabilities; it's merely exploiting carelessness and obsolescence.

According to CERT, the attackers use these weaknesses to:

  • identify vulnerable devices;
  • extract device configurations;
  • map internal network architectures;
  • harvest login credentials;
  • masquerade as privileged users;
  • modify
    • device firmware,
    • operating systems,
    • configurations; and
  • copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.

The end result: "[...] both intermittent and persistent access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population." Russia could use this access for its own financial gain--or simply to conduct more devastating attacks on the U.S. As long as the attackers have access to these networks, the U.S. will remain vulnerable to attacks that will arrive with little to no warning.

There's No Easy Fix

Unfortunately, recognizing a problem doesn't automatically solve it. CERT said in its statement that many different groups have to come together to help defend against these attacks. That includes manufacturers, security vendors, ISPs, and network owners and operators, among others. Getting all of those organizations to agree on a course of action, let alone spring into action, will probably be a Herculean task.

The reality is that none of these organizations use outdated and insecure technology out of a sense of nostalgia. They're driven primarily by economic factors--replacing network systems is expensive, for example--and the feasibility of integrating new technology into their systems. Unless they coordinate their efforts, each group's efforts to respond to CERT's warning will address only one part of a much larger problem.

This thread is closed for comments
8 comments
    Your comment
  • mapesdhs
    Here comes the MSM fake news once again, pushing the Russia narrative. Sad that toms is buying into it. Because of course our western agencies never do anything dodgy in the other direction. :D (ref wikileaks last year)
  • USAFRet
    117741 said:
    Here comes the MSM fake news once again, pushing the Russia narrative. Sad that toms is buying into it. Because of course our western agencies never do anything dodgy in the other direction. :D (ref wikileaks last year)


    Just because the West may be doing it, does not mean the Russians aren't also doing it.
  • glitchyrichy
    How does repeating a statement from the US GOV Computer emergency readiness team fake news? They are literally repeating the information from the government. https://www.us-cert.gov/ncas/alerts/TA18-106A