US, UK cyber cops warn Russians are rooting around in your routers

After all, it's where all your data is flowing through

American and British crimefighters have launched another round of pin-the-tail-on-the-Russians – with a warning that Moscow-backed hackers are trying to subvert the world's network devices.

The US Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) on Monday issued a joint Technical Alert describing a global assault on routers, switches, firewalls, and network intrusion detection hardware by Russian state-sponsored cyber actors.

This is not quite the same thing as last month's warning against cyber-attacks on the West's energy utilities and other critical infrastructure, or other cyber threats attributed to Russia-sponsored hacking, referred to collectively as Grizzly Steppe. But it's related.

"FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations," the advisory says.

The warning applies specifically to devices utilizing Generic Routing Encapsulation (GRE), Cisco Smart Install (SMI), and Simple Network Management Protocol (SNMP).

Routers give root

US and UK authorities say that since 2015 they've been receiving reports of attacks on routers and the like that aim to advance Russia's national security and economic goals. They contend that the campaign "threatens the safety, security, and economic well-being of the United States."


Slingshot malware uses cunning plan to find a route to sysadmins


The advisory says network devices are ideal targets because almost all network traffic passes through them.

"Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network," the advisory says, a possibility that might allow for denial of service, information manipulation or physical destruction in the context of critical infrastructure.

The warning goes on to elaborate on the reasons it's easy to find vulnerable network devices: They tend to get less security attention than servers. Few run security tools. Many are distributed with exploitable services.

Device owners often fail to change default settings, perform security hardening, or commit to regular patching. ISPs often don't replace hardware that's no longer supported by its maker. And network devices often get overlooked during cyber intrusion investigations.

Despite the ebb in relations between the US/UK and Russia – marked by diplomatic expulsions, indictments related to the Internet Research Agency and the 2016 election, the Skripal poisoning, and ongoing events in Syria – the White House appears disinclined to punish Russia for alleged bad behavior.

On Monday, the Washington Post reported that the White House halted Syria-related sanctions against Russia announced a day earlier by U.S. Ambassador to the United Nations Nikki Haley.

And after several years of naming and shaming the Russian government for backing the hacking of US government systems, not much has changed. ®

Similar topics

Narrower topics

Other stories you might like

  • Taiwan bans exports of chips faster than 25MHz to Russia, Belarus
    Doom it is, then, Putin

    Taiwan's government has enacted a strict ban on the export of computer chips and chip-making equipment to Russia and Belarus, a move that will make it even harder for the two countries to access modern processors following export bans from other countries.

    The island nation is the world's largest advanced chip manufacturing hub, so the export ban carried out by Taiwan's Ministry of Economic Affairs, reported last week, will make it more difficult for Russia and Belarus to find chips for a variety of electronics, including computers, phones and TVs.

    Russia has already been scrambling to replace x86 processors from Intel and AMD that it can no longer access because of export bans by the US and other countries. This has prompted Russia to source x86-compatible chips from China for laptops that will be considerably slower than most modern systems. The country is also switching to servers using its homegrown Elbrus processors, which Russia's largest bank has found to be inadequate for multiple reasons.

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – and – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading

Biting the hand that feeds IT © 1998–2022