Government-backed Russian hackers are using compromised routers and other network infrastructure to conduct espionage and potentially lay the groundwork for future offensive cyber operations, UK and US authorities have warned.
In a joint statement, the US Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the UK's National Cyber Security Centre (NCSC) - the cyber arm of GCHQ - said Kremlin-backed hackers are using exploits to carry out malicious attacks.
These attacks target government, the private sector and critical infrastructure, as well as the Internet Service Providers (ISPs) providing support to these sectors, with attacks across the globe on network infrastructure devices including routers, switches, firewalls, Network Intrusion Detection Systems (NIDS).
The hackers are using compromised routers to conduct man-in-the-middle attacks to support cyber espionage, steal intellectual property and maintain persistent access in victim networks for use in additional campaigns.
"We have high confidence that Russia has carried out a coordinated campaign to gain access to enterprise, small office, home office routers known as SOHO routers and residential routers, and the switches and connectors worldwide," said Rob Joyce, special assistant to the President and cybersecurity coordinator at the White House, speaking to journalists.
"We can't rule out that Russia might intend to use this set of compromises for future offensive cyber operations as well, it provides basic infrastructure they can launch from.
Millions of devices around the world are said to have been compromised in this way, with inherently poor security and poor default passwords exploited by the attackers.
"What we've seen in this case is default passwords being exploited, unsecured devices being exploited," said Joyce.
It's warned that a Russian government campaign to exploit these devices threatens safety, security, and economic well-being of the US and the UK.
The joint statement by the DHS, FBI and NCSC said multiple sources including private and public-sector research organisations, as well as other nations, have reported this activity to the US and UK governments.
The full alert contains indicators of compromise for the attacks, technical details on the tactics, techniques and procedures as well as contextual information regarding observation of the attacks.
The alert urges network device vendors, ISPs, public sector organisations and private corporations of all sizes to read it and act on the recommended mitigation strategies.
It's the first time that the US and the UK have issued joint advice to industry on mitigating attacks at the same time, something which Ciaran Martin, CEO of the National Cyber Security Centre said "marks an important step in our fight back against state-sponsored aggression in cyberspace".
"Russia is our most capable hostile adversary in cyberspace so dealing with their attacks is a major priority for the National Cyber Security Centre and our US allies," he said.
"The UK government will continue to work with the US, other international allies and industry partners to expose Russia's unacceptable cyber behaviour, so they are held accountable for their actions," Martin added.
US Homeland Security has directly condemned the Russian state for the attacks.
"The US government has high confidence that Russian state-sponsored cyber actors were behind this malicious cyber activity to exploit network infrastructure devices," said Jeanette Manfra, National Protection and Programs Directorate and chief cybersecurity official for the Department of Homeland Security
"The US government and the United Kingdom condemn the actions of the Russian government, and we hold the Kremlin responsible for these malicious cyber activities," she added.
The FBI also pledged to do whatever it takes to combat Russian cyberattacks.
"We'll continue to follow the actions of our Russian adversaries and we'll bring every tool to bear against them in every corner of cyber space," said Howard Marshall, Deputy Assistant Director of the Cyber Division at the FBI.
The joint US-UK alert comes days after Home Secretary Amber Rudd warned that the UK had been hit by 49 cyberattacks from Russian groups in the last six months. Jeremy Fleming, the Director of UK intelligence agency GCHQ also recently called out Russia's actions in cyberspace.
"They're not playing to the same rules, they're blurring the boundaries between criminal and state activity," he said
READ MORE ON CYBERCRIME
- Security warning: Your suppliers are now your weakest link
- US: Russia's NotPetya the most destructive cyberattack ever [CNET]
- They've got your money and your data. Now hackers are coming to destroy your trust
- Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas [TechRepublic]
- Cybersecurity as big a challenge as counterterrorism, says spy chief