04/24/2018 | Bochum, Author: Ralf Benzmüller

Russians in the Router

A comment by Ralf Benzmüller

Security services from USA and UK warn about current attacks of the Russian government on routers, firewalls and intrusion detection systems of companies and public authorities. Successful attacks on the "heart of the network" may have versatile effects and endanger the whole IT ecosystem of affected nations. Those who believe this representation, may think that Russia is starting a cyber war. But, what are the accusations about?


If three top-ranking institutions like the FBI, the Department of Homeland Security (DHS) and the British National Cyber Security Center (NCSC) issue a joint warning (like on April 16th) with the title "Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices", this usually carries considerable weight. But if you find one accusation after the other, without a shred of evidence to back the claims, you are taken aback when reading the text. The Technical Alert TA18-106A of the US-CERT provides several hints to a wave of attacks on routers, firewalls and other network devices. However, convincing evidence about the Russian provenience of the attacks is strangely lacking. It seems to me that we are concerned with two things: 1.) the concrete warning about an attack in progress, and 2.) politically motivated propaganda.

The Attack

The US-CERT's technical description tells us that there are attacks on routers of enterprises and private users by targeting obsolete protocols and simple admin tools. It particularly mentions scans on the ports of telnet (port 23), HTTP (port 80) as well as  SNMP (ports 161/162). The warning also mentions attacks on a tool for simple and automated administration of Cisco routers. Attacks to this Smart Install (SMI) Client were published by Cisco on April, 5th . Besides configuring the router the integrated TFTP-support can be abused to send (configuration) data to remote computers. A diagram demonstrates that since November 2017 there is increased activity on the related port 4786. Attacks on SMI are not new and became much easier to carry out when the "Smart Install Exploitation Tool" (SIET) started spreading in the underground markets back in November 2016 . 

To make a long story short: the warning is not particularly up-to-date. It is also not especially unusual. Attacks on devices that either use unencrypted protocols or have known security flaws are daily business. A statement of the German BSI from 17.4. takes the same line. The attack methods have been known for years. "From a technical point of view there are no new findings in the US-CERT's explanation". The BSI is aware of current cases in Germany, that are similar to the ones described in the alert. Affected institutions are informed and appropriate defense measures were initiated. There is no reason to panic.    

It might appear that the attacks are harmless. Unfortunately, this is not the case. You shouldn't take the warning lightly. Routers are the heart of the network. With unrestricted access to a router it is not only possible to spy on the network infrastructure and read all (unencrypted) data passing along. It is also possible to redirect, stop, or manipulate data transfers. Whoever controls the router also controls the network. The imminent macroeconomic impact of compromised private routers may be negligible. Cisco routers, however, are highly optimized systems for processing network packets, and are mostly deployed in professional environments, where manipulations can have severe effects. In this scenario, those who are still supporting unencrypted protocols and/or use simple admin tools, that don't comply appropriate security requirements, should take the Technical Alert as an opportunity to disable and/or replace the insecure components.The section "Solutions" of the US-CERT Technical Alert provides valuable advice to fix the current issue. The US-CERT also provides more fundamental advice on how to secure networks and devices. 

Warning of the Cyber War

Intelligence agencies do spy. It's their job. And of course they utilize the technical facilities of the internet. The extent to which this happens as well as the systematic nature of those activities were outlined by the revelations of Edward Snowden. From an adversary's point of view network devices are particularly attractive. Firewall, Intrusion Detection Systems and Routers process huge amounts of data. It's surely no surprise that these devices are in the focus of intelligence agencies - not only the Russians'. The diplomatic relationship between Russia and the USA have been somewhat strained as of late. More and more campaigns are launched where Russia or Russian companies (e.g. Kaspersky) are put in a bad light. The alert at hand is joining the queue. The accusations however are not comprehensible from an outside perspective, because the insights which they are based on are not subject to public scrutiny. This reminds me of the scheme that at that time lead to the war in Iraq. The present alert puts the described incidents in the context of attacks carried out (or at least supported) by the Russian government, thus creating a context of cyber war. Given that it is not only about spying, but also about sabotage, the consequences of successful attacks on network devices are even more serious. Some recent examples may illustrate possible effects.

  • Black Energy
    Attacks on Ukrainian power plants cause power outages for several hours in vast parts of the country.
  • WannaCry
    This ransomware uses vulnerabilites that the NSA was keeping secret, but were stolen and published by The Shadow Brokers. Computers worldwide in huge enterprises and hospitals were unusable. Several companies - even bigger ones - had to interrupt their work.
  • Petna (aka NotPetya)
    The same vulnerabilities from the NSA leaks are used to spread another ransom-trojan. Starting point is a financial software that is obligatory to use for companies that make bussiness in Ukrain. The encryption rendered computers worldwide useless. Most prominent victim is the Danish logistics company Maersk, which is accountable for about 20% of worldwide transports. They were offline for 10 days.


Do the implied allegations mean that the Russian government is preparing to engage in a cyber war against western industrialized countries? A serious warning about a cyber war should look and sound different. In the present form it is comparable to a loudspeaker announcement at the beach, while the tsunami is already approaching. Homeland Security should be able to find more effective ways of communication in that case. 
Are FBI, DHS, and NSCS exploited to serve a political concept of the enemy? That would be a pity. They harm the credibility of their otherwise good work about revealing details of an attack. Even the US-CERT with all its wonderful security material could lose reputation. 
Or did they want to compensate the criticism against the NSA for WannaCry and Petna and wanted to do better than last time? That would be laudable, but needs a different, long-term confidence-building strategy.
Or was it an attempt to make the operators of network infrastructure to finally implement appropriate IT security measures by summoning signs of an impending cyber war? I doubt that this strategy is successful, and I would consider this way of raising attention inappropriate. You shouldn't play with messages with such a high level of consequence.

And now?

There is no easy solution in sight. Obviously, responsible citizen are in high demand in the otherwise technology-focused IT world. IT security officers and system administrators must make their own estimate regarding the importance and urgency of security measures and separate fact from politically motivated fiction. The situation is seriously difficult. The opportunity for successful cyber attacks are currently better than ever. Our economic and private life is entangled with connected computing devices. The digital change is deeply changing our society. Unfortunately, securing the corresponding infrastructure was (until lately) given a lower priority. A well-prepared cyber attack could currently have devastating effects. A good starting point for counter-action could be to raise the hurdles. Banning telnet and other unencrypted protocols and deactivate devices that have no alternative is a good starting point. Avoid using simple but insecure admin tools. If the Russians are coming they should be forced to make an effort. 
The good news is, that this change is happening already. More and more enterprises (and private users) deal with securing their IT and the related processes and invest a lot of know-how and money in it. Unfortunately that's not as straightforward as it may seem. Every company has its own conditions and characteristics which have to fit to the necessary security measures. For more than 30 years we have been working on preventing security incidents that impair the fun you can have with computers. If you need assistance, we are happy to help.

Share this article

G DATA | Trust in German Sicherheit