pixel_dreams - Fotolia
The Russian government has carried out a coordinated malicious cyber activity campaign directed mainly at government and private sector organisations, critical infrastructure providers and the internet service providers supporting these sectors, according a joint statement by the UK and the US.
Specifically, these cyber exploits were directed at network infrastructure devices worldwide such as routers, switches, firewalls and network intrusion detection systems (IDS), according to a technical alert issued by the US Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC).
Network device suppliers, internet service providers (ISPs), public sector organisations, private sector corporations, and small office and home office owners should act on the recommended mitigation strategies, the statement said. Both governments are urging network defenders to take action to mitigate this worldwide exploitation of network infrastructure devices.
Underlining the significance of the risk, White House cyber security coordinator Rob Joyce said that anyone who "owns the router" can monitor all the traffic and consequently has the ability to do things such as harvest credentials and modify or deny traffic. "It is a tremendous weapon in the hands of an adversary," he told journalists on a conference call.
"The publication of the alert and guidance is just one of a series of steps aimed at addressing Russia's unacceptable activity in cyberspace, and each of us has an important role we can play in securing our networks against the Russian government, other nation states and criminal actors.
"Whether an end user, private firm or device designer, there are straightforward measure we can take to make sure we get network security right, which includes building devices from the ground up to be secure by design because we have seen in this case default passwords and unsecured devices being exploited," he said.
The technical alert contains indicators of compromise (IOCs), technical details on the tactics, techniques and procedures (TTPs) and contextual information regarding observed behaviours on the networks of compromised victims.
Russian state-sponsored actors are using compromised routers to conduct spoofing “man-in-the-middle” attacks to support espionage, steal intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations, the statement said.
Multiple sources including private and public-sector cyber security research organisations and allies have reported this activity to the US and UK governments, and the NCSC confirmed that the campaign of activity has directly affected the UK.
“The current state of US and UK network devices, coupled with a Russian government campaign to exploit these devices, threatens our respective safety, security, and economic wellbeing,” the statement said.
Ciaran Martin, CEO of the UK National Cyber Security Centre said: “Russia is our most capable hostile adversary in cyber space so dealing with their attacks is a major priority for the National Cyber Security Centre and our US allies.
“This is the first time that in attributing a cyber attack to Russia, the US and the UK have, at the same time, issued joint advice to industry about how to manage the risks from attacks. It marks an important step in our fight back against state-sponsored aggression in cyber space.
"Never before have we joined together with the same advice to our industry and our citizens about how to deal with attacks, and these attacks are significant because they against internet infrastructure across the core and the edge of internet connectivity, which the NCSC has been tracking for around a year.
“For over 20 years, GCHQ has been tracking the key Russian cyber attack groups and today’s joint UK-US alert shows that the threat has not gone away,” he said.
“Many of the techniques used by Russia exploit basic weaknesses in network systems. The NCSC is leading the way globally to issue advice and automate defences at scale to remove those basic attacks, thereby allowing us to focus on the most potent threats,” he said.
The technical alert and joint statement come after reports that Russia has launched a “dirty tricks” campaign against the UK and the US in the wake of the Syria airstrikes.
UK government sources have confirmed a Pentagon analysis that showed a 20-fold increase in Russian-sourced “disinformation” being spread online since the cruise missile attacks on Syria in the early hours of Saturday, which has raised concerns that a campaign of cyber attacks by the Russia could follow, according to The Telegraph.
Countering Russian cyber threat
Last week, at the NCSC’s CyberUK conference in Manchester, GCHQ director Jeremy Fleming said GCHQ has monitored and countered the growing cyber threat the Russia poses to the UK and its allies for more than two decades.
“And it looks like our expertise on Russia will be in increasing demand. We’ll continue to expose Russia’s unacceptable cyber behaviour, so they’re held accountable for what they do, and to help government and industry protect themselves.
“The UK will continue to respond to malicious cyber activity in conjunction with international partners such as the United States. We will attribute where we can,” he said, accusing Russia of “not playing by the same rules” and of “blurring the boundaries between criminal and state activity”.
Fleming also revealed that for well over a decade, GCHQ has pioneered the development and use of offensive cyber techniques to counter the use of the internet by terror groups and has, in partnership with the Ministry of Defence, “conducted a major offensive cyber campaign against Daesh”.
These operations, he said, have made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks and protected coalition forces on the battlefield.
“Cyber is only one part of the wider international response. But this is the first time the UK has systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign,” he said.
This approach, said Fleming, has worked against Daesh and could work against other national security challenges too.
“We know that these capabilities are very powerful,” he said. “The international doctrine governing their use is still evolving. And as with all of our work, we only use them in line with domestic and international law, when our tests of necessity and proportionality have been satisfied, and with all the usual oversight in place.”
In the conference call with journalists, Martin said that this joint action demonstrates that there is something that can be done between countries and within countries, with government giving advice to industry and citzens about what action to take.
"Much of this advice is around following good basic practices around network configuration and patching," he said, adding that because the Russian cyber attack capability is a global problem, the advice issued by the UK and US is also relevant to other countries.