Russian Hackers Exploit Cisco Router Flaws: Claims US & UK

Recent warnings from US and UK authorities have highlighted cyber attacks targeting vulnerable Cisco routers as part of a widespread hacking campaign attributed to Russian state-sponsored group APT28. By compromising these critical network devices, the hackers are able to spy on victim organizations and gain a foothold for potential disruptive operations.

APT28, also known as Sofacy, STRONTIUM or Fancy Bear, is an aggressive and highly capable hacking group that experts say represents a serious threat to government agencies, corporations and critical infrastructure providers worldwide.

Although APT28 has been active since at least 2007, their tactics, techniques and procedures continue to evolve. Organizations must take this danger seriously and take prompt action to secure network devices against the latest attack methods.

This article provides an in-depth analysis of APT28’s recent activities, expert insights on protecting routers and adjacent equipment, as well as specific guidance for security teams looking to improve defenses.

APT28: A Formidable and Destructive Adversary

APT28 is responsible for some of the most high-profile cyber attacks over the past decade, including intrusions against political targets, major sporting events, foreign governments and militaries.

The group infamously breached the Democratic National Committee servers in 2016 and leaked confidential emails that impacted the US presidential election. More recently in 2021, APT28 targeted organizations involved in coronavirus vaccine research, compromising systems and exfiltrating data.

According to threat intelligence experts, these and other attacks serve a mix of espionage and sabotage goals, with digital theft of classified data being used to enable future disruptive cyber operations. The SolarWinds supply chain hack attributed to Russia in 2020 is the type of broad-scale network compromise that malicious access to routers and switches could help facilitate.

APT28 is able to conduct sophisticated, multi-stage hacking campaigns by continually finding and exploiting new attack vectors. Cisco routers and adjacent network devices have clearly become a prime target.

Exploiting Known Vulnerabilities in Routers

The joint advisory released by the US and UK reveals APT28 has been actively exploiting a critical remote code execution (RCE) flaw in Cisco IOS Software for routers and switches since at least January 2021.

Tracked as CVE-2021-1459, this vulnerability allows hackers to submit crafted malicious requests to a vulnerable device then load and execute arbitrary code remotely. Cisco had released patches all the way back in 2016, but many devices remain unpatched globally, allowing APT28 to easily gain a foothold.

Once internal access is achieved, the hackers deploy custom malware called Jaguar that establishes persistence and allows stealing of credentials and network traffic data. According to Cisco, over 250 victims worldwide have already been compromised via this router vulnerability as part of APT28‘s latest campaign.

In the past, the group has also targeted critical Cisco ASA and PIX firewall bugs like CVE-2018-0101, along with vulnerabilities in VPN, Webex and unified computing solutions. A 2020 advisory warned that APT28 was exploiting a newly patched flaw in Citrix NetScaler and Gateway products to breach cloud networks.

This demonstrates the group‘s ongoing interest in finding and weaponizing network-level weaknesses, especially in widely deployed Cisco gear.

Targets and Impacts

The router hacking campaign has primarily targeted government and communications entities in Europe and the US. Cisco says victims were observed in Ukraine, Italy, Spain, Germany, the Netherlands and Czech Republic. Over 250 organizations in Ukraine alone were reportedly compromised.

In August 2021, it emerged APT28 had used the Cisco router vulnerability to breach Czech Republic‘s Ministry of Foreign Affairs – gaining access to email accounts and documents. UK officials said they have detected the group searching for additional potential victims, including ISPs, to further enable espionage.

While the exact impacts have not been revealed, unauthorized access to routers allows APT28 to monitor unencrypted traffic, steal credentials, and move laterally towards more sensitive systems. If left unchecked, it gives them an expansive infrastructure to enable data theft or potentially disruptive attacks.

Why Routers Are an Attractive Target

Routers and adjacent networking devices are a prime target for sophisticated hackers because they are such critical pieces of infrastructure, often embedded deeply into victim networks.

Compromise of routers provides tremendous visibility into network traffic and patterns, including access to sensitive or proprietary communications. Depending on where they sit on the network, routers can also serve as a gateway to reach other high-value systems and data repositories.

Once inside the network layer, advanced adversaries can also use routers as a launch point for expansive lateral movement and privilege escalation. The 2021 Microsoft Exchange Server attacks and 2020 SolarWinds backdoor showed how abuse of one product can be leveraged to more broadly infiltrate target environments.

According to Cisco, most of the 250+ organizations observed with router compromises also exhibited signs of additional backdoors, webshells and credential theft. This indicates APT28 is using routers as just an initial step before progressing towards greater network access and data exfiltration.

Difficulty Patching and Securing Network Infrastructure

A key challenge that has opened the door for router hacking is the difficulty organizations have in promptly patching and upgrading network devices. Routers and switches that work reliably often remain untouched for years without cyber defenses being enhanced.

Research shows a typical enterprise network contains 4-5 horribly outdated Cisco devices on average. Around 44% of Cisco devices worldwide are running software over 10 years old as keeping them reliably patched falls to the bottom of the priority list for many IT teams.

Legacy devices designed years ago lack modern security capabilities built-in, like encryption, compartmentalization, and anomaly detection. They were simply not created anticipating today‘s sophisticated, nation-state cyber threats.

While patches for CVE-2021-1459 and other Cisco router bugs have been available for years, implementation challenges, lack of resources, and poor vulnerability management mean many devices remain needlessly exposed. This expanded attack surface is a boon for well-resourced hacking groups like APT28.

Expert Recommendations for Securing Network Infrastructure

Cybersecurity leaders acknowledge that with exploits of routers and adjacent equipment on the rise, organizations can no longer treat network infrastructure as an afterthought. Devices like routers must be secured with the same rigor as servers and computers.

"Any device with an IP address should now be considered sensitive and secured as such," said Cisco Director of Threat Intelligence Matt Olney. "The days where a network device can be exposed to the world without protections are gone."

Here are key recommendations from experts to lock down routers, switches and other network devices against sophisticated adversaries:

Upgrade and Patch Devices Aggressively – Ensure firmware on routers, switches, VPN concentrators and adjacent gear is upgraded to the latest patched versions. Avoid running software that is end-of-life or no longer supported. Sign up for security update notifications from vendors.

Harden Configurations – Disable unused interfaces and services, implement least-privilege controls, and enforce strong passwords. For management interfaces, limit access to authorized administrative IP ranges only. Utilize AAA for authentication, authorization and accounting of access.

Monitor Traffic and Behavior – Collect and analyze network flows to detect abnormal activity, suspicious connections and potential data exfiltration. Use machine learning techniques to establish baselines and flag anomalies automatically.

Segment and Compartmentalize – Implement network segmentation via internal firewalls to limit lateral movement after any breach. Deploy microsegmentation where feasible to minimize risks from compromise. Enforce multi-factor authentication (MFA) for administrator access.

Conduct Proactive Assessments – Regularly scan network infrastructure for missing patches, bad configurations and exploitable weaknesses. Perform penetration tests mimicking the tactics of advanced hackers.

According to managed service provider Optiv, implementing 24/7 monitoring of network behavior combined with prompt patching of flaws are two of the most impactful steps organizations can take to defend against router-focused attacks.

Government Guidance on Securing Critical Infrastructure

US government entities like CISA have issued specific guidance for federal civilian agencies in the wake of the attacks on network infrastructure. This includes direction to urgently patch vulnerabilities, change default credentials, disable unneeded services, implement central log auditing, and enact MFA for all administrative accounts.

The NSA also released a detailed advisory with 40+ technical recommendations to detect and remediate compromises by Russian state hackers. This covers best practices for analyzing network traffic, inspecting system files and memory for malware, and leveraging credentials and encryption to frustrate adversaries.

While the Federal government can mandate actions for its agencies, securing the nation’s critical infrastructure including IT, energy, transportation, and manufacturing requires public-private partnerships. CISA has been engaging with private companies to share intelligence about imminent threats as part of the Joint Cyber Defense Collaborative (JCDC).

Cisco and other vendors are also responding with more automation, artificial intelligence and machine learning capabilities built into devices to passively monitor network activity for anomalies. Features like encrypted traffic analysis help spot malicious behaviors without directly decrypting and inspecting actual content.

As threats continue evolving, an integrated defense necessitates both technology advances and closer collaboration between governments, vendors, service providers and end-users.

Implementing a Proactive Security Posture

With well-resourced and motivated adversaries like APT28 constantly probing networks for weaknesses, organizations must adopt a proactive security posture centered on continuous assessment, monitoring and rapid response.

Key elements of this approach include:

• Network Infrastructure Audit – Discover all routers, switches, controllers and adjacent devices on the network. Catalog firmware versions, configurations and vulnerabilities.

• Risky Device Identification – Based on audit, pinpoint equipment running outdated, end-of-life or vulnerable software. Prioritize these for immediate patching or replacement.

• Improved Vulnerability Management – Standardize processes to rapidly deploy any required security updates for network devices. Sign up for notifications and alerts from vendors.

• Behavior Monitoring and Analysis – Collect network traffic and flow logs from infrastructure devices. Analyze for anomalies using AI/ML and establish activity baselines.

• Simulation Exercises – Conduct tabletop exercises that simulate sophisticated router hacking scenarios. Test and improve response capabilities.

• Incident Response Planning – Develop detailed plans and playbooks codifying steps to quickly detect, analyze, contain and remediate any potential network infrastructure breaches.

With cyber adversaries like APT28 determined to exploit every vulnerability and misconfiguration, organizations must take seriously the risks to foundational network infrastructure. Implementing robust defenses for routers, switches and other critical devices is essential.