Additional information: Russia's malicious cyber activity

Created:  16 Apr 2018
Updated:  16 Apr 2018
Additional information around the joint US and UK statement about malicious cyber activity carried out by the Russian government.

The U.S. Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) have today issued a joint Technical Alert about malicious cyber activity carried out by the Russian government. 

The joint statement can be read here as well as the issued advisory.

What has happened?

Today, the Department of Homeland Security (DHS), federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) released a joint Technical Alert (TA) about malicious cyber activity carried out by the Russian Government.

Multiple sources including private and public sector cyber security research organisations and allies have reported Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations.

What level of confidence do you have in your assessment?

The US and UK governments have high confidence that Russian state-sponsored cyber actors were behind this malicious cyber activity that aimed to exploit network infrastructure devices. This activity threatens the safety, security and economic wellbeing of the US, UK and international allies.

Why are your releasing this information now?

With this alert, DHS, FBI and NCSC are providing information on this Russian backed threat to help government and private sector organisations identify malicious activity and reduce exposure to it.

What is the threat?

Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows this actor to identify enabled Internet-facing ports and services, conduct device fingerprinting and discover vulnerable network infrastructure devices.

Russian cyber actors leverage several legacy or weak protocols and service ports associated with network administrations activities. These tactics can be used to identify vulnerable devices, obtain log in credentials, masquerade as privileged users, modify device firmware, copy or redirect victim traffic throughout Russian cyber-actor-controlled infrastructure and several other malicious activities.

What should small businesses do to protect themselves from this threat?  

The NCSC has previously produced advice and guidance for small businesses that can found on the NCSC website. A blog specifically related to this latest advisory has also been published.

What are the consequences of these attacks?

Russian actors could possibly modify or deny traffic traversing through the router and potentially target the network devices from other manufacturers.

A malicious actor with presence on an organisation’s gateway router has the ability to monitor, modify and deny traffic to and from the organisation.

There is a possibility that a malicious actor may gain control of a router between Industrial Control Systems (ICS). Supervisory Control and Data Acquisition (ISC-SCADA) sensors and controllers in a critical infrastructure, such as electrical power sector can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing structure of a network essentially controls the data flowing through the network.

Who is being targeted?

The targets of this malicious cyber activity are primarily government and private-sector organisations, critical infrastructure providers and the Internet Service Providers (ISPs) supporting these sectors. Specifically, these cyber exploits were directed at network infrastructure devices worldwide such as routers, switches, firewalls, Network Intrusion Detection System (NIDS).

Why should I be concerned?

Network devices are often easy targets as once installed they are not maintained at the same level as desktops and servers. Hostile states don’t just target governments and small businesses and home users are not just vulnerable to criminals.

Who should read the Technical Alert?

Network device vendors, Internet Service Providers (ISPs), public sector organisation, private sector corporations and small office home office (SOHO) customers should read this report and act on the recommended mitigation strategies.

What information can I find in the Technical Alert?

This alert contains indicators of compromise (IOCs), technical details on the tactics, techniques and procedures (TTPs) and contextual information regarding observed behaviours on the networks of compromised victims.

What mitigation measures are in place?

There is a significant amount of guidance in this alert to mitigate the exploitation vectors identified. However, users should refer to the vendor-specific guidance for the make and model of their network device in operations.

What other information is available?

This alert is the result of joint analytic efforts between DHS, FBI and NCSC. It builds on additional advisories from Australia and the European Union, in addition to the DHS Analysis Report, “The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations,” (AR-16-20173) published August 30, 2016.

This is the latest in a series of alerts issued on Russian government-supported malicious cyber activity. DHS, FBI and NCSC urge readers to act on past alerts and advisories issued by the US and UK governments, allied governments, network device manufacturers and private sector organisations.

Was this information helpful?

We need your feedback to improve this content.

Yes No