(Wired)– Russia hackers have targetted “millions” of connected devices in the UK and US. It’s all part of Putin’s grand plan to disrupt the west.
No-one is too unimportant to be targeted by Russia-backed, state-sponsored hackers. While that may be good for the self-esteem, it’s bad news for online security — enough so that this week US and UK authorities teamed up to issue a joint warning about communications infrastructure, including home-office routers.
The rare joint alert noted that routers, switches, firewalls and network intrusion detection systems at government and businesses were the main targets of Russian hackers, but it added that even “small-office/home-office customers” should take more protective action, as should Internet Service Providers (ISPs) and and those developing infrastructure.
The attacks target routers and the protective hardware around them, with Russia-sponsored hackers accused of running “man-in-the-middle” attacks for to spy, steal intellectual property, and “potentially lay a foundation for future offensive operations”, the alert reads. The FBI, Department of Homeland Security and the UK’s National Cyber Security Centre (NCSC) noted that multiple cyber security research groups have reported such activity since 2015.
“This is not something new, and is not something that has developed in response to Salisbury and Syria,” said Keir Giles, a senior consulting fellow of the Russia and Eurasia Programme at thinktank Chatham House. “But it’s something that is entirely consistent with how Russia thinks about information warfare.” That includes standard cyber attacks as well as “targeting of mass consciousness and public opinion”.
Routers are a weak point in security because they’re frequently left unpatched, have legacy unencrypted protocols, or weak default settings for easy installation — indeed, the technical alert notes that “Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices.” In short, they don’t need to be sophisticated. Pair that with the fact most traffic goes through routers and other networking equipment, and that makes them “ideal targets”, the alert notes.
Another infamous security weak point noted by the technical alert is the Internet of Things (IoT), such as the smart devices scattered about our homes. Ciaran Martin, CEO of the NCSC, told the New York Times that Russia had targeted “millions” of connected devices in the UK and US, including IoT gadgets.
“One of the things with the Internet of Things is it needs to be cheap and easy to use, and one of the ways to do that is take out security,” says professor Alastair Irons, academic dean for the faculty of computer science at the University of Sunderland. “In theory, these IoT devices could be weaponised… to disrupt and disable networks and infrastructure.”
Why your router, of all routers?
It’s clear why spies would target ISPs or their rival governments, but why would Russia want to attack your router? “Two of the main principles that have come through in recent Russian thinking about information warfare — which includes cyber activities as well as exploiting the information that they’re collecting through cyber activities — is that nobody is too unimportant to be a target,” says Giles. “This is something that’s been seen in the front line states quite routinely, with for example Nato soldiers.”
Such people may not have seen themselves as targets before, but Giles cites Russian chief of general staff Valeriy Gerasimov as believing that in information warfare there “is no rear area”. In other words, we’re all on the front line now. “Everybody is because they’re looking for vulnerabilities everywhere,” Giles says.
While finding embarrassing information to use for leverage is one goal, routers are soft targets that can be used in multiple ways: you can steal data, but you can also redirect traffic, abuse it for a distributed denial-of-service attack, replace pages or elements of a page (as seen with ad fraud), or use the access point to move up the chain to their computer.
Indeed, if you hack a home router, you may “get lucky,” says Irons, and find someone working from home “who is easier to access than they’d normally be at a more secure location”. Even the NSA falls foul of that with home workers and contractors.
Plus, victims are unlikely to notice they’ve been hacked, allowing the hackers in question to hold onto the compromised router for future use. “When a router has been compromised, it is much more difficult to detect and remediate than say, a laptop infected with malware,” says Jérôme Segura, lead malware intelligence analyst at Malwarebytes.
It’s not all about you…
While we’re all on the front-line in information warfare, it may well be to abuse our routers en-masse. That could be for a huge distributed-denial of service attack using accumulated compromised routers and IoT gadgets to attack a third-party or internet infrastructure, as happened with the Mirai botnet and follow-up attacks, notes Sefura.
Plus, the use of UK and US routers can make it difficult to know where the attack actually originated, limiting immediate retaliation. “You can’t hack back if the target is a US citizen,” Sullivan says. “The home routers can redirect things and make it tough to figure who to attack back, who to hack back.”
Russia has also been “practising” cutting off communications in a specific area, Giles noted, pointing to efforts in Crimea to disrupt information. “If Russia is present in home routers… one of the reasons could be to ensure that target governments can’t communicate with their target populations.”
“I’m going out on a limb,” he adds, “but they could be looking at ways of supplying altered information to targeted audiences like they did in the Ukraine, where they intercepted internet communications and replace it with stuff that’s being sourced from Russia.” He admits that would be harder to do elsewhere where Russia has less immediate control, and adds that the Ukrainians “got wise to it pretty rapidly.” However, is says “it would likely be within the realm of their ambition”.
Indeed, the technical alert from the UK and US governments notes such a scenario is possible once the hackers have taken control of networking infrastructure: “At this stage, cyber actors are not restricted from modifying or denying traffic to and from the victim. Although there are no reports of this activity, it is technically possible.”
That style of attack, intercepting and replacing information on a web page, is one of the most common ways criminals use hacked routers, notes Sullivan — however, it’s usually for ad fraud rather than information warfare.
How it works
Catching such a wide net for targets used to be more difficult for governments. Spying was previously harder, requiring more targeted attacks and plenty of manpower. “They are doing this on a industrial scale because they can,” says Giles. “Because they can do it swiftly and easily, they do.”
Sullivan calls it the “Shodan” effect, referring to a tool that’s effectively a search engine for back-end infrastructure, letting users spot connected devices and whether they’re secured. “They’re hitting everything they can with automation,” he says. “Let’s collect all the intel we can, why wouldn’t you?”
The technical alert points in particular to telnet, HTTP, SNMP and Cisco Smart Install, networking protocols that will be scanned in a targeted or broad manner, so hackers know what to target, sending spoofed demands for configuration files. “The CERT bulletin shows that routers are a prime target for automated attacks by threat actors scanning for vulnerable devices,” says Segura. “The router controls inbound and outbound traffic, making it easy for eavesdropping or man in the middle attacks.”
According to the alert, in this attack the configuration files are targeted, revealing “a significant amount of information about the scanned device, including password hash values.” Those values can be used to “derive legitimate credentials”.
Able to log in, hackers can tweak the operating system or firmware so their access persists on the system even if it’s rebooted, overwrite files to modify how a device is configured, or install malware to infect other devices on the network — and then “masquerade as legitimate users” to nab more information, steal data, reconfigure systems, and redirect traffic.
“The security recommendations appear to be aimed at enterprises more than consumers as it is providing detection rules system admins can put in place to detect potential compromises,” notes Segura. “However, many of the tips from the bulletin regarding hardening the security of those routers and patching them also apply to consumers.”
What should we do?
The ease of compromising routers is why the UK and US authorities are begging companies and individuals to get their routers patched: the best way to fight back is to be harder to hack. “Updating is fragmented quite a bit, and that’s largely the issue with this class of device,” says Sullivan.
That’s not only a problem for individuals, but companies of all sizes, and Sullivan suggested the serious, detailed alerts from the FBI, Department of Homeland Security and National Cyber Security Centre has a benefit for those inside corporations. “I think this is making it easier for chief security officers to go to their boards and say this is reality — it’s not coming from the private sector trying to sell stuff.”
Of course, protecting your router and other networking equipment from Russian spies has the knock-on benefit of making you safer from criminals, too — regardless of their country of origin.
“The techniques that cyber espionage uses, including Russian cyber espionage and information warfare, is in some cases indistinguishable from what cyber criminals want to do, because both of them are about accessing information,” Giles says. “Nevermind protecting yourself against Russia, just protecting yourself against any cyber intruders will have the same effect.”