CISA, Cisco highlight Russian military targeting of router vulnerabilities

The Cybersecurity and Infrastructure Security Agency and technology giant Cisco released advisories on Tuesday spotlighting attacks on routers allegedly being exploited by Russian military hackers.

In its report, CISA was joined by the FBI, NSA and the UK National Cyber Security Centre (NCSC) in highlighting the actions of APT28 – which the agencies believe is the Russian General Staff Main Intelligence Directorate’s (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165.

Known among researchers as Fancy Bear and STRONTIUM, the group allegedly exploited Cisco router vulnerabilities throughout 2021, attacking “a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.”

NCSC previously attributed attacks on the German parliament in 2015 and the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018 to APT28.

The advisory says the group used two different attacks to target Cisco routers. One involves the exploitation of Simple Network Management protocol (SNMP) – a tool that allows network administrators to monitor and configure network devices remotely. The tools can be abused to steal sensitive network information and subsequently penetrate a network, CISA said.

“A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks,” CISA explained. “Weak SNMP community strings, including the default ‘public,’ allowed APT28 to gain access to router information.”

The hackers also exploited CVE-2017-6742, an SNMP vulnerability patched by Cisco in June 2017.

Cisco's advisory at the time provided several workarounds that included limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs).

CISA said APT28 used malware to exploit SNMP to obtain device information and exfiltrate data. The NCSC called this malware campaign “Jaguar Tooth” and Cisco’s Matt Olney said it was an “example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.”

“While infrastructure of all types has been observed under attack, attackers have been particularly successful in compromising infrastructure with out-of-date software,” Olney said. “Cisco is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure — that we have observed and have seen corroborated by numerous reports issued by various intelligence organizations — indicating state-sponsored actors are targeting routers and firewalls globally.”

Olney explained in a blog post that in addition to Russia, China has also been spotted attacking network equipment in several campaigns.

A Cisco spokesperson said the company continues to observe a rising volume of attacks against particularly out-of-date networking appliances and software across all vendors.

“Today's alert demonstrates that sophisticated adversaries are systematically taking advantage of known vulnerabilities, in this case an SNMP vulnerability in Cisco IOS and Cisco IOS XE Software that was disclosed by Cisco on June 29, 2017, with fixed software made available to all customers that same day,” the spokesperson said.

APT28 has long been one of the most prolific military hacking groups operating out of Russia, launching dozens of disinformation and government hacking campaigns in recent years. The group has often relied on spear-phishing emails to go after targets of interest – with several companies spotlighting their work.

ATP28 has been involved in a number of cyberattacks in which they have stolen highly sensitive information about topics including the conflict in Syria, NATO-Ukraine relations, the European Union refugee and migrant crisis, the 2016 Olympics and Paralympics Russian athlete doping scandal, public accusations regarding Russian state-sponsored hacking, and the 2016 U.S. presidential election, according to a report by Mandiant.

ATP28 was also linked to the cyberattack on U.S. satellite communications provider Viasat.