Critical Infrastructure Security, Firewalls, Routers, Government security

Russia’s FSB attacks critical infrastructure, says 12 Western nations

Russian hack attack concept, on the computer keyboard. 3D rendering

At least four major United States security agencies have signed on with 12 other nations to point out that the Russian Federal Security Service (FSB) Center 16 has been attacking critical network infrastructure in those countries for more than a decade.

The Russian cyber actors use scanning to identify poorly configured network devices for exploitation, primarily Cisco routers, Cisco’s Smart Install (SMI) functionality, and web portals that manage network devices.

According to the joint advisory, the U.S. agencies making the claims were the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), the Defense Department’s Cyber Crime Center (DC3), and the FBI.

The other nations signing on include: Australia, Canada, Czechoslovakia, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden, and the United Kingdom.

Vertical sectors targeted by the attackers include communications, defense industrial base, energy, financial services, government services and facilities, especially organizations at the state and local level, and healthcare and public health.

Sam Decker, threat intelligence engineer at Blackpoint Cyber, said most of these attacks are surprisingly simple, and this specific tactics, techniques, and procedures (TTPs) have been repeatable ones for Russian threat actors.

Decker said the TTPs consist of scanning for routers still using the factory password on a settings feature most people forget exists, then copying the device's configuration and sending it to their own server, which can hand over saved passwords and network details. 

“More broadly, from what we see across compromised routers in general, DNS hijacking to quietly redirect traffic is common, alongside routers getting folded into DDoS botnets or used as proxy exits,” said Decker. “IT teams should stop treating routers as invisible, change default passwords, turn off remote management you don't need, and watch for any unusual outgoing traffic, which alone catches a lot of this.”

John Strand, owner of Black Hills Information Security, said the story isn’t about the vulnerability itself: attacking Cisco Smart Install or abusing SNMP isn’t new, security teams have known about these techniques for more than a decade.

Strand said the real story is that nation-state attackers continue to succeed by exploiting problems organizations should have fixed years ago. Every time we see a large nation-state campaign, Strand said there’s a temptation to focus on the newest exploit or the most sophisticated technique. In reality, Strand said these campaigns are often built around vulnerabilities and insecure configurations that have been public knowledge for years.

“Attackers aren’t succeeding because defenders lack intelligence,” said Strand. “They’re succeeding because too many organizations still struggle with the fundamentals of computer security. My biggest concern isn’t the technical details of this attack. It’s that the organizations most at risk probably aren’t reading the advisories, following security news, or tracking CISA alerts. We spend a lot of time talking to security professionals who are already engaged, but the organizations that need the message most often aren’t part of that conversation. Until we find better ways to reach those organizations, attackers will continue to find easy wins using vulnerabilities we’ve known about for years.”

Denis Calderone, chief technology officer at Suzu Labs, added that he’s personally been pulling router configs with Cisco Smart Install during penetration tests for years. Calderone explained that one unauthenticated request to TCP 4786 and the switch hands over its startup config, credentials, SNMP community strings, TACACS+ keys — all of it.

“So, when the FBI warns that Russia's FSB is doing the exact same thing against U.S. critical infrastructure, the only thing that surprises me is that anyone still has this feature running,” said Calderone. “CVE-2018-0171 was patched in 2018 and Cisco has been telling people to disable Smart Install since 2017. It's even been in the CISA KEV catalog since 2021. There just isn't any excuse for this.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds