The U.S. and the U.K. say that Russian state-sponsored hackers have been exploiting a software vulnerability found in thousands of routers around the world in order to break into networks and steal data.
The alert, issued jointly by the U.K.’s National Cyber Security Centre and the U.S. FBI and Department of Homeland Security, warns that “cyber actors supported by the Russian government” broke into large numbers of routers and switches and used “compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations.” The hacks were reportedly intended to “enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.”
The Department of Homeland Security says that the U.S. first received information from private companies and critical infrastructure partners about Russian exploitation of routers as early 2015. Those targeted by the campaign “are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers.”
DHS also advised that the threat posed by vulnerable routers could be used to create physical damage in limited circumstances, warning that a hacker compromising routers in between industrial control systems could create “dangerous configurations that could lead to loss of service or physical destruction.”
The Washington Post first reported that hackers from Russia’s Main Intelligence Directorate (GRU)—the agency which allegedly hacked the Democratic National Committee during the 2016 election—broke into routers used by officials at the 2018 Olympics in Pyeongchang and distributed malware on Olympic networks. The break-in, U.S. officials told the Post, was designed to appear as though it was carried out by North Korea. The hack was reportedly intended as payback from Moscow after the Olympic committee banned Russian athletes in response to an extensive state-backed doping campaign by the Russian government. It’s unclear, however, if the Olympic router breach is related to the campaign identified by the U.S. and U.K.
The joint announcement follows what appears to be an increasingly vocal campaign by both countries to call out Russia for its alleged responsibility in a series of hacking incidents.
“We’ll continue to expose Russia’s unacceptable cyber behaviour, so they’re held accountable for what they do, and to help Government and industry protect themselves,” Jeremy Fleming, director of the U.K.’s Government Communications Headquarters, said in a speech at a cybersecurity conference last week. “The UK will continue to respond to malicious cyber activity in conjunction with international partners such as the United States. We will attribute where we can.”
In February, the U.S. and U.K. issued another joint attribution blaming Russia for the creation and distribution of the NotPetya malware. NotPetya destroyed data on computers around the world, but the majority of infections were concentrated in Ukraine, targeting important infrastructure like the financial and energy sectors. According to Britain’s National Cyber Security Centre, “the Russian Government, specifically the Russian military” designed the NotPetya malware to appear as ordinary criminal ransomware. The infection, however, destroyed data and offered no means for victims to ransom their data back once it was encrypted.
“For over twenty years, GCHQ has been tracking the key Russian cyber-attack groups and today’s joint UK-US alert shows that the threat has not gone away,” Ciaran Martin, head of the U.K.’s National Cyber Security Centre, said in a statement. “The UK government will continue to work with the US, other international allies and industry partners to expose Russia’s unacceptable cyber behavior, so they are held accountable for their actions.”