The Russian Government’s hackers – codenamed “Grizzly Steppe” – stand accused of trying to turn millions of routers against their owners.
After the stream of recent accusations levelled by cyber-authorities in the US, UK and Australia, it was probably inevitable that Russia would be formally accused of targeting network infrastructure at some point.
That happened yesterday, in the bludgeoning co-ordinated style that now marks out every official statement regarding Russia and cyberwarfare.
Stated US-CERT:
Since 2015, the US Government received information from multiple sources – including private and public-sector cybersecurity research organizations and allies – that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide.
These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.
In fact, Grizzly Steppe was first mentioned in late 2016 when the FBI published its first report on the group’s alleged activities.
There will perhaps be two public reactions to this remarkable accusation, the first being to wonder what routers are and why they matter so much that Russia would want to target them.
The second may be to wonder why it has taken these countries so long to point out the phenomenon of co-ordinated router compromise – something that a variety of groups have been engaged in for at least a decade without much fuss being made about it.
In case the alert sounds a bit vague, the UK National Cyber Security Centre (NCSC) followed up the warnings with a document explaining in some detail the hardware weaknesses the Russians are alleged to be exploiting.
Switches, firewalls, and Intrusion Detection Systems (IDS) are all on the Russian target list but the central importance of routers in homes and offices made them prized targets, it said.
Products aren’t named beyond a few generic references to Cisco and Juniper, both of which are of course known to be extremely common in ISP networks.
However, what is made clear is the type of product vulnerable to Russian takeover. This includes:
- Devices not set up securely (default passwords, too many interfaces/protocols left turned on)
- Legacy devices using “unencrypted protocols or unauthenticated services” (presumably a reference to managing routers using Telnet or via HTTP)
- End-of-life devices no longer receiving security patches
It lists numerous technical mitigations that a well-informed engineer would already know about and a series of Grizzly Steppe Indicators of Compromise (IoCs) they might not.
Reflecting the number of vulnerable devices, a Reuters report quotes a source at the British government’s National Cyber Security Centre as numbering targeted systems in the millions.
A separate warning put out by Australian authorities said that “that potentially 400 Australian companies were targeted”, although without “any exploitation of significance.”
The alerts are best understood as part warning, part political theatre.
For the Russians, it’s about making crystal clear that the defenders can see what they’re up to, which holds an implicit threat in return – if you target our routers we can do the same to yours.
The idea that we might be on the edge of an age of cyberattacks followed by retaliation is pretty scary if, indeed, that line hasn’t been quietly crossed already.
For companies, equipment makers and service providers, it’s a way of saying that the good times are over, you can’t take router security for granted.
Everyone should take basic precautions to defend their customers, and themselves, and not just hope for the best or assume the government will step in to save them.
John C
Should “stand accessed” in the first sentence read “stand accused?”
Mark Stockley
Fixed thanks!
Mahhn
“The Russian Government’s hackers – codenamed “Grizzly Steppe” – stand accessed” “Accused”
Mark Stockley
Fixed, thanks!
Jane M
If we disable all remote access on our routers, are we still protected when the manufacturer hasn’t provided a firmware update in years? How can we check an old consumer router that seems to still work?
Paul Ducklin
If you know (or are willing to try) a network mapping tool such as nmap, you could scan your own router, say from a friend’s house, and see whether ports such as 23 (telnet), 22 (SSH) and 80 (HTTP/web) are open to the outside world.
It’s worth doing this even if you’ve turned off remote access – buggy routers may have [a] ports open always, not managable by the web GUI, or [b] ports that don’t correctly get closed even when that’s supposed to happen.
Bryan
Way back in the Before Times,
It was possible to use multiple addresses from Comcast (before they were AT&T@Home, they were Excite@Home). With a managed switch in three VLANs (WAN/LAN/DMZ), and OpenBSD (FTW!) box running IPFilter (later pf), I could plug an extra PC into the WAN ports and briefly test my own config from the “outside.” Never tried it for long, but I’m sure it got abused.
That was back when they’d still give a static IP to each customer. Of course on Win98 each network change required a reboot, (often twice) but I’d found a neat little utility you could configure in advance and then shut down. Startup would have the network settings you wanted; it was great for my work laptop, particularly before I ran DHCP at home.
I thought of that stellar little utility a couple months ago and Googled but couldn’t figure out what it was. Now searches seem to come up with solely MS tools indigenous to the OS. Not that it’s critical I recall the name, but whoever built that app should be doing something really cool by now.
/RabbitHole
Paul Ducklin
On contemporary Windows, try netsh help.
Bryan
Yeah, thanks.
I just figured anyone who coded such a handy little tool for Win98’s clumsy network stack would likely still be creating timesaving apps I’d like to support.
Bryan
I omitted detail which may clarify my apparent overenthusiasm:
The utility saved multiple user-defined profiles, selectable within the app, such as
– straight DHCP
– DHCP, custom DNS
– static IP with /27 netmask
Pull up the tool, choose a profile set for where you were going, click apply, shut down.
Arrive, and your laptop is ready to roll.
Modern OSes handle network changes better, and describing this is similar to telling kids about lugging water back from the well or describing a 2600 blue box.
“Long distance charges, what’s that? And pull over to make a call? Why didn’t you just use your cell?”
jkwilborn
I believe it would be very ignorant to assume we are not doing to them that which they are doing to us. Probably how they got the idea 8{} No matter how you look at it, it’s escalating. Typical for governments… :{ Whatever the costs, we must not have a ‘router gap.’ Nice piece Paul…
Steve
This article was actually authored by John E Dunn, not Mr. Ducklin.
Paul Ducklin
Correct. Not one of mine. When I see CERTs warning about things like “research confirms that routers have been under routine and regular attack since 2015”, my eyes glaze over. It seems about as useful as the meteorological office announcing that in temperate regions, summer may prove to be warmer than winter.
John E Dunn
The Edward Snowden revelations in 2013 underscored that the US has extensive programs to compromise network infrastructure. The issue is not really whether countries are trying to compromise routers (they are) but the intent behind this.