The U.S. Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the U.K.’s National Cyber Security Centre (NCSC) released a joint Technical Alert concerning malicious cyber-activity carried out by the Russian government.
“This is the first time that, in attributing a cyber-attack to Russia, the United States and the United Kingdom have, at the same time, issued joint advice to industry about how to manage the risks from the attack,” Ciaran Martin, CEO of the National Cyber Security Centre, said in a statement. “It marks an important step in our fight back against state-sponsored aggression in cyberspace.”
The targets of this malicious cyber-activity are primarily government and private-sector organizations, critical infrastructure providers, and internet service providers (ISPs) supporting these sectors. Specifically, these cyber exploits are directed at network infrastructure devices worldwide—such as routers, switches, firewalls, and the Network Intrusion Detection System (NIDS).
“Many of the techniques used by Russia exploit basic weaknesses in network systems,” Martin said. “The NCSC is leading the way globally to automate defenses at scale to take away some of those basic attacks, thereby allowing us to focus on the most potent threats.”
Network device vendors, ISPs, public-sector organizations, and private-sector companies are encouraged to read the alert and act on the recommended mitigation strategies, which contains:
Indicators of compromise;
Technical details on the tactics;
Techniques and procedures (TTPs); and
Contextual information regarding observed behaviors on the networks of compromised victims.
Russian state-sponsored actors are using compromised routers to conduct spoofing “man-in-the-middle” attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations. Multiple sources, including private and public-sector cyber-security research organizations and allies, have reported this activity to the U.S. and U.K. governments.
In a statement, FBI Deputy Assistant Howard Marshall said this activity is “part of a repeated pattern of disruptive and harmful malicious cyber action carried out by the Russian government.” Anyone who finds signs of the malicious activity described in TA18-106A is encouraged to immediately report them to DHS’s National Cybersecurity and Communications Integration Center (NCCIC), FBI, NCSC, or law enforcement.