A “significant number” of Australian organisations were targeted as part of a multi-year espionage campaign being blamed on Russian government hackers.
The federal government joined UK and US authorities overnight in blaming Russian state hackers for exploiting commercial networking equipment to target the organisations.
No details were shared on which Australian organisations were affected and the total number involved.
Minister for law enforcement and cyber security Angus Taylor said there was “no indication Australian information has been successfully compromised” in the attacks.
Taylor said the incidents were unacceptable and called on all countries including Russia not to take actions that could damage network infrastructure that provide services to the public.
Taylor was advised by Australian intelligence agencies and their counterparts in allied countries of the attacks on commercial routers.
The intelligence agencies identified what they say were Russian controlled internet-connected hosts involved in network exploitation operations.
Coinciding with the Australian government notification, the United States Computer Emergency Response Team (US-CERT) issued a joint technical alert with the US Department of Homeland Security, the FBI and UK’s National Cyber Security Centre, detailing the router attack vectors.
US-CERT said the Russian “Grizzly Steppe” government hackers had exploited legacy and weak protocols, and network service ports against a large number of enterprise, small to medium sized business and residential routers and switches worldwide since 2015.
Grizzly Steppe scanned the current internet address space to locate network infrastructure that ran vulnerable clear-text services such as Telnet, HTTP, the simple network management protocol (SNMP) and Cisco Smart Install (SMI).
By observing login banners presented by the devices, and fingerprinting the data returned by scanning, the hackers were able to identify the routers and switches, as well as the organisations they were installed at.
Organisations that exposed SNMP to the internet also leaked vital details that allowed the hackers to map out networks and the devices connected to them.
Exploiting the network devices that exposed vulnerable services to the internet has been relatively easy for the Russian hackers.
“… for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access the routers,” US-CERT said.
The hackers were able to use default login credentials, and guess weak passwords; they were also able to use credentials already leaked on the internet, as many organisations permit passwords that can be derived from existing data breaches.
Once logged in as a privileged administrator on the network devices, the Grizzly Steppe hackers were able to install modified software and operating system files on them, as well as firmware that enabled them to establish a persistent presence.
Cisco’s SMI was used to install the malicious code and to change configuration files, as it is an unauthenticated management protocol that is susceptible to network address spoofing.
The hackers were able to take full control of network devices, establish a man-in-the-middle position and capture traffic flows and exfiltrate data from targets using Generic Routing Encapsulation (GRE) protocol tunnels.
US-CERT warned that the hackers could also mirror, redirect and modify as well as deny traffic to and from the victim organisations.
Users are asked to immediately change defaults and weak passwords, and not to reuse them across multiple devices.
Strong password policies should be enforced, and each device should have its unique set of login credentials.
To mitigate against future attacks, users should not expose unencrypted management protocols such as Telnet to the internet, nor should they allow access to device management interfaces from the internet.
US-CERT also took a swing at manufacturers for shipping devices with legacy and unencrypted protocols.
If such protocols must be used, devices should ship with them disabled by default and users should be presented with clear warnings of the risks of enabling them, US-CERT said.
Manufacturers should also force users to change passwords during device installation installation, or even do away with them altogether and implement public key infrastructure (PKI) credentials instead, US-CERT added.