The UK’s National Cyber Security Centre (NCSC) and US’s Department of Homeland Security (DHS) have issued an unprecedented joint technical alert – alongside the Federal Bureau of Investigation (FBI) – detailing malicious cyber activity “carried out by the Russian government”. This is aimed primarily at government and private-sector organisations, critical infrastructure providers, and the internet service providers (ISPs) supporting these sectors, they said.
The alert, posted late Monday (April 16) evening, said the exploits are directed at network infrastructure devices worldwide such as routers, switches, firewalls, and the Network Intrusion Detection System (NIDS). All network device vendors, ISPs, public sector organisations, private sector corporations and even small businesses should read the alert and act on the recommended mitigation strategies, the partners said.
The alert, TA18-106A, describes Russian state-sponsored actors using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations. Multiple sources, including private and public-sector cyber security research organisations and allies, have reported this activity to the US and UK governments, the DHS, FBI and NCSC said in a joint statement.
Jeanette Manfra, the DHS’s Assistant Secretary for Cybersecurity and Communications said: “Russian government activities continue to threaten our respective safety, security, and the very integrity of our cyber ecosystem… We will not accept nor tolerate any malign foreign cyber operations, intrusions, or compromises. We call on all responsible nations to use their resources—including diplomatic, law enforcement, technical, and other means—to address the Russian cyber threat.”
Reconnaissance, Weaponisation, Delivery
Protocols targeted in broad reconnaissance scanning include Telnet (“typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.) Hypertext Transport Protocol (HTTP, port 80), Simple Network Management Protocol (SNMP, ports 161/162), and Cisco Smart Install (SMI port 4786”) the report explains the weaponisation, delivery, exploitation, installation, then command and control tactics, before offering detailed mitigation.
The NCSC’s CEO Ciaran Martin, said: “Russia is our most capable hostile adversary in cyberspace so tackling them is a major priority for the National Cyber Security Centre and our US allies. This is the first time that in attributing a cyber attack to Russia the US and the UK have, at the same time, issued joint advice to industry about how to manage the risks from the attack. It marks an important step in our fight back against state-sponsored aggression in cyberspace.”
He added: “Many of the techniques used by Russia exploit basic weaknesses in network systems. The NCSC is leading the way globally to automate defences at scale to take away some of those basic attacks, thereby allowing us to focus on the most potent threats.”
The alert represents the first time the NCSC has been included as an author in a DHS and FBI joint report.