Russian State-Backed Hackers Target Vulnerable Routers in Critical Infrastructure, Agencies Warn

The joint cybersecurity advisory urges organizations to harden routers and other network devices against an ongoing Russian government-sponsored campaign targeting critical infrastructure.

A coalition of cybersecurity agencies from the United States and eight allied nations has issued a joint advisory warning that Russian government-sponsored hackers continue to target vulnerable and poorly configured routers to gain access to critical infrastructure networks, urging organizations to strengthen network device security and eliminate common configuration weaknesses.

The advisory, authored by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and 15 additional cybersecurity agencies, attributes the activity to Russian Federal Security Service (FSB) Center 16 cyber actors. The threat group is tracked within the cybersecurity industry under several names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.

According to the advisory, the attackers scan internet-connected IP address ranges for routers using default or commonly known Simple Network Management Protocol (SNMP) authentication strings. Once access is obtained, the actors instruct devices to copy their configuration files and transfer them to attacker-controlled servers using the Trivial File Transfer Protocol (TFTP). Critical infrastructure sectors identified as being at greatest risk include communications, defense industrial base, energy, financial services, healthcare and state and local government organizations.

Attack focuses on basic security weaknesses

In prepared media comments, Matthew Hartman, chief strategy officer at Merlin Group, said the tactics outlined in the advisory are well established but remain relevant because of their continued effectiveness.

“The techniques in this advisory are not new, however, the breadth of international attribution should remove any doubt that this remains an active and coordinated threat to critical infrastructure,” Hartman said. He added that organizations should prioritize internet-facing network infrastructure by eliminating default credentials, restricting management interfaces and monitoring and patching routers as they would other critical systems.

Louis Eichenbaum, federal CTO at ColorTokens, said sophisticated threat actors continue to capitalize on fundamental security shortcomings.

“The most important takeaway from this campaign is that sophisticated adversaries continue to exploit relatively basic weaknesses because they know those weaknesses still exist,” Eichenbaum said, noting that legacy operational technology environments often continue to rely on default credentials, exposed management interfaces and flat network architectures.

Eichenbaum recommended organizations inventory routers, switches, firewalls and other network devices, remove default SNMP community strings, implement SNMPv3 with authentication and encryption, disable TFTP where possible and replace it with more secure alternatives such as SCP or SFTP. He also pointed to identity-based microsegmentation as a way to limit lateral movement if a perimeter device is compromised.

Experts emphasize foundational cyber hygiene

John Gallagher, vice president at Viakoo, described the campaign as opportunistic rather than highly targeted.

“These attacks work purely from a numbers perspective,” Gallagher said. “It's an opportunistic campaign looking for poor cyber hygiene.”

Gallagher recommended disabling Cisco Smart Install, migrating to SNMPv3, restricting management access, keeping firmware current and maintaining regular password and certificate rotation policies.

The joint advisory also recommends disabling legacy SNMPv1 and SNMPv2 where possible, using strong unique passwords, limiting management protocol access through access control lists, blocking unnecessary external communications over SNMP, TFTP and Cisco Smart Install ports, and keeping network devices updated with the latest firmware and security patches.

About the Author

Rodney Bosch

Editor-in-Chief/SecurityInfoWatch.com

Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for multiple major security publications. Reach him at [email protected].

Sign up for our eNewsletters
Get the latest news and updates