On April 16, 2018, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre issued a joint Technical Alert (TA), alerting the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. The TA explains primary targets to be government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. The affected systems include: Generic Routing Encapsulation (GRE) Enabled Devices; Cisco Smart Install (SMI) Enabled Devices; and Simple Network Management Protocol (SNMP) Enabled Network Devices.
According to the TA, “FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.” The TA highlights technical details on the tactics, techniques, and procedures used by Russian state-sponsored cyber actors and advises mitigation strategies with technical detail.
DHS further encourages the recipient to report information to the National Cybersecurity and Communications Integration Center or law enforcement.