This article has been updated to include comments from Cipher Brief experts.
On Monday, the U.S. and UK jointly blamed Moscow for cyber intrusions into the backbone of the internet – the routers and switches that are the gateway for internet access in major corporations and your home office.
“Since 2015, the U.S. government received information from multiple sources – including private and public sector cybersecurity research organizations and allies – that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide,” said the technical alert published by the U.S. Department of Homeland Security.
“The U.S. government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals,” it continued.
The campaign particularly targets internet service providers, private sector firms and critical infrastructure providers in both the U.S. and UK, and around the world.
“This activity isn’t always to steal information from the network, but at times used to facilitate other operations that the Russians can do against high value targets worldwide,” said Rob Joyce, the White House cybersecurity coordinator, in a briefing to reporters.
“We assess the goals of the campaign include espionage and intellectual property theft,” he said. “This isn’t an isolated incident by any stretch and should be viewed in the totality of Russian malicious cyber activity. For this reason, we cannot rule out that Russian may intend to use this set of compromises for future offensive cyber operations as well. It provides basic infrastructure that they can launch from.”
The U.S.-UK Joint Statement added that, “Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations.”
For example, the DHS alert points out that, “An actor controlling a router between Industrial Control Systems – Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure – such as the Energy Sector – can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction.”
This has significant implications considering that in March, DHS confirmed Russia’s cyber intrusions into the U.S. energy grid.
The targeting of network infrastructure is reminiscent of the malware dubbed SYNful Knock found infiltrating Cisco routers in Ukraine, Philippines, Mexico and India in September 2015 by cybersecurity company FireEye. SYNful Knock was later included in the Department of Homeland Security’s August 2016 report on attacks on U.S. network infrastructure, and then again in the DHS December 2017 report on Russian malicious cyber activity, referred to as Grizzly Steppe.
A similar router-enabled attack in May 2014 was carried out by Russia-linked CyberBerkut, which shutdown Kiev’s real time election result updates for 20 hours on the eve of the pivotal vote. CyberBerkut “claimed to have discovered and exploited a ‘zero-day’ vulnerability” in Ukraine’s Central Election Commission Cisco router software, according to a 2015 report by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia.
In the last several months, the U.S. has attributed the WannaCry ransomware campaign to North Korea and the NotPetya attack to Russia. The U.S. has also imposed sanctions and revealed indictments on the Iranian government contractor Mabna Institute, and hit China with large sanctions in part as a response to the cyber theft of intellectual property.
“We are pushing back, and we are pushing back hard,” said Joyce. “These actions are intended to send a message that we are going to work against these issues in the international space.”
“This is a significant moment in the transatlantic fight back against Russian aggression in cyberspace,” added Ciaran Martin, the chief executive officer of the UK National Cyber Security Centre, who also took part in the briefing. “The UK and U.S. have separately and together already called out bad behavior by Russia in cyberspace, but never before have we joined together to give the same advice to our industry and citizens.”
The Cipher Brief spoke with Robert Hannigan, former director of the UK’s GCHQ, and Rick Ledgett, former deputy director of the NSA, about why routers are such prized targets for espionage actors and the significance of a joint U.S.-UK attribution of Russian malicious cyber activity. Their comments have been adapted for print below.
“The point about router and other network attacks is that they enable a wide range of cyber operations against a huge set of secondary targets, whether for intelligence gathering or the delivery of denial of service, or much more sophisticated destructive attacks. The router itself is not the primary target.
“The nature of data flows across the internet means that a router does not need to be in the U.S. or UK to deliver effect in those countries. For example, the ‘man in the middle’ does not need to be in your territory.
“This is not a new discovery, and Russian attacks on routers are not new. But the joint U.S.-UK attribution is new and is clearly intended to have a deterrent effect: this is about pre-warning the Russian state that if attacks are launched in the next few weeks or months, Russia will be blamed. This may not stop them, but it will now be part of their risk calculation. The U.S. has already cited cyber-attacks as a reason for recent economic sanctions; the implication is that there will be further measures if Russia follows through on router-enabled attacks.
“Apart from the deterrent message, the statement is a refreshingly public admission of the inherent vulnerabilities and weaknesses of the internet infrastructure, which have a disproportionate impact on open Western economies.”
“In a network, if you’ve got the router, you’ve got the high ground. There’s a huge advantage if you are on the router of a network that’s carrying traffic in which you’re interested in because it gives you the ability to re-route that traffic, to duplicate the routing of the traffic, to copy it and send it on to its intended destination but also send a copy to yourself.
“It gives you the chance to interdict that traffic and stop it from coming, either all of it or, depending on the sophistication of the adversary capability, they could just deny certain kinds of traffic. It gives you the ability to conduct man-in-the-middle attacks in a very efficient way so that you can basically compromise other computers. If you see packets coming from a computer in which you’re interested, then you can respond to that before the intended recipient can and lay down an implant that will exploit a vulnerability and allow you to gain a tail-hold on that computer.
“They’re also useful for denial of service attacks and you can also use them as launching platforms for disruption malware. They really are the high ground of the internet.
“It could also affect U.S. national security even if the routers are overseas because we have diplomatic and military communications that transit global networks and so, if someone were to interdict those or, in some way, affect those, then that would be bad for the U.S.’s national security. Also, the fact that we have allies would make them vulnerability to those kinds of attacks, which could also affect the United States.”
If there is public attribution to Russia, should there be a punitive response?
“Two things on that. One, you don’t necessarily see all that is going on. There are things that happen behind the scenes or that happened in non-public channels that governments are obviously not going to talk about in public but that could be going on and, I would guess, are going on.
“The second thing is part of establishing the fact that this behavior is unacceptable and laying a foundation of activities that are acceptable. When we think about graduated response to adversary actions, you don’t just jump right to the maximum response – you ramp things up. Part of the way you do that is you lay the foundation, you lay the groundwork, of specific acts you can attribute to the adversary and that then forms the foundation you can use to take increasingly severe actions going forward.”
What is the significance of a joint U.S.-UK attribution?
“I think it shows that we’re starting to reach out in a coordinated way to like-minded nations. The U.S. and the UK share a lot of common goals and objectives in this space. I think that’s a good thing and a step in the right direction. What I would expect to see is that, going forward, other nations would join up in that sort of work as well.
“I wouldn’t be surprised to see perhaps some Western European partners join. The goal internationally is to get a large enough group of nations that feel the same way and act the same way about what’s acceptable and what’s not on the internet and use that coalition to put pressure on people who don’t behave the way that they should.”
Is there anything significant about the timing of this public attribution?
“Not about the timing, no. This has been going on for a few years – in fact, I was aware of it while I was still in government so it’s good to see they finally have made a decision to – and have enough evidence to – firmly publicly attribute. I think that’s a good thing.”
Levi Maxey is the cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.