Home / Technology / AI & IT / U.S., Britain blame Russia for global cyber attack targeting Network Infrastructure Devices

U.S., Britain blame Russia for global cyber attack targeting Network Infrastructure Devices

The United States and Britain in 2018 accused Russia of launching cyber attacks on computer routers, firewalls and other networking equipment used by government agencies, businesses and critical infrastructure operators around the globe. Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc.

 

Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.

 

On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices.

 

Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals.

 

If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data. Intruders with infrastructure privilege and access can impede productivity and severely hinder reestablishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult. Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts

The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States.

Routers and firewalls

Routers are used to forward packets of data back and forth between internet service provider (ISP) and user devices. The router’s job is to look at each packet of data, read its source and destination IP addresses, find the destination IP in its routing table and then send each packet on its way in an orderly fashion. Because routers allow more than one computer onto the network, they also open up the possibility for more security events.

 

Cyber criminals frequently use this vulnerable point to spread malware, which can damage data and compromise network security. Or they may attempt to reconfigure your network by accessing your router with default administrative credentials — which is why it is so important to change these logins from the defaults. Hackers will also use routers to launch denial-of-service attacks, which can knock your operations offline for hours at a time. In these attacks, attackers flood routers with packets upon packets of data, overloading the router’s ability to forward legitimate traffic.

 

At a high level, firewalls monitor incoming and outgoing traffic, analyzing it for security risks and filtering out high-threat activity. Specifically, packet filtering firewalls inspect the header of all the packets of data flowing in and out of the network. They review the source address, destination and port information of each packet to determine its legitimacy, then decide to send the data on its way or block it, based on a set of predetermined rules created by the network administrator.

 

Stateful inspection firewalls take that process one step further, reviewing not just the data in the packet but information about where it came from and where it’s headed. For instance, a stateful inspection firewall would look at how the data originated — did it appear as a response to a request, or did it just show up out of nowhere.

Firewalls can stop hackers who are trying to steal sensitive data, like credit card numbers or confidential company assets. They can root out suspicious malware attacks by identifying incoming or outgoing data that doesn’t belong. They can block websites that are known to carry malware and spam. They can keep protected networks and servers safe from unauthorized use. They’re your best hope against unwanted hacking.

 

Own the Router, Own the Traffic

Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. Organizations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors. An actor controlling a router between Industrial Control Systems – Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure—such as the Energy Sector—can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.

 

Prevention and Mitigations Recommendations

NCCIC encourages users and network administrators to implement the following recommendations to provide a more secure and efficient network infrastructure:

Segregate Networks and Functions

Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network

 

Limit Unnecessary Lateral Communications

Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow a network intruder to easily spread to multiple systems. An intruder can establish an effective “beach head” within the network, and then spread to create backdoors into the network to maintain persistence and make it difficult for defenders to contain and eradicate.

 

Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations.

 

Secure Access to Infrastructure

Devices Administrative privileges on infrastructure devices allow access to resources that are normally unavailable to most users and permit the execution of actions that would otherwise be restricted. When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them. Unauthorized infrastructure access can be mitigated by properly implementing secure access policies and procedures.

 

Perform Out-of-Band Management Out-of-Band

(OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.

 

Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.

 

Recommendations:

  • Maintain strict control of the supply chain; purchase only from authorized resellers.
  • Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.
  • Inspect the device for signs of tampering.
  • Validate serial numbers from multiple sources.
  • Download software, updates, patches, and upgrades from validated sources.
  • Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.
  • Monitor and log devices, verifying network configurations of devices on a regular schedule.
  • Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

 

 

References and Resources also include:

https://www.taylored.com/blog/the-differences-between-routers-and-firewalls-in-network-security/

https://cyber.dhs.gov/assets/report/ar-16-20173.pdf

About Rajesh Uppal

Check Also

Nation-Backed Cyber Attacks: The Global Threat Posed by Russia, China, North Korea, and Iran

In today’s interconnected world, cyberspace has become the new battleground for global dominance. Nation-states are …

error: Content is protected !!