Proactive cyber security: what the UK-US alert on mass targeting of network devices can teach us

Last week, the US and the UK warned that Russian cyber threat actors were conducting a multi-year campaign to compromise network devices as a means of infiltrating organisations in the two states and their allies. The campaign reportedly targets a wide range of organisations, including government bodies, critical national infrastructure companies, telecommunication providers, and even personal users. The wide range of targets suggests that most companies in the countries targeted, including the UK, are at risk.

The potential impact for businesses using legacy versions of SNMP and other unencrypted management protocols – exploited in this campaign – is significant. Access to routers and switches would enable threat actors to gain a foothold on corporate networks, and a privileged observation point to monitor network traffic.

More than customer data and corporate information at risk

This access could be leveraged to steal sensitive information, including personal data, with which to understand business operations. Threat actors could also deploy malicious software, i.e. self-propagating disruptive malware. Last June, the NotPetya ransomware-like worm, attributed to Russia, showed that even large companies can be ground to a halt by a similar piece of malicious code. The potential impact of the campaign, coupled with heightened tensions between Russia and Western states, makes it paramount that companies take steps to mitigate this threat.

This campaign is notable for its breadth, rather than its sophistication. The threat actors do not employ malware but rely on weaknesses in common protocols and service ports associated with network administration activities. The attackers exploit weaknesses in legacy unencrypted network management protocols to steal credentials, personal data and corporate information.

Companies’ use of unencrypted network devices, which are visible from the open internet, has enabled attackers. As has become clear from the number of devices infected, the use of unencrypted management protocols is also common. This is mainly due to time and cost constraints, competing priorities within companies, and a gap between those with technical IT responsibilities and those making decisions on IT expenditure.

Proactive mitigation measures for better resilience

As resources are limited in any organisation, there is a need for a risk-focused approach to managing IT infrastructure. This means translating what threat intelligence tells us about real-life attacks into a vulnerability discovery and remediation process. In this case, for instance, knowledge of how Russian actors abused specific ports and protocols should lead CISOs to consider drafting formal remediation plans to upgrade legacy systems that support unencrypted network protocols (these should be replaced with encrypted alternatives like SSH, HTTPS, TLS and SNMP version 3).

Rather than relying solely on reactive mitigation measures, organisations should take a proactive approach to securing their networks. SNMP internal traffic can be reviewed and analysed, which is why maintaining a thorough logging and monitoring process is paramount. Ports must be closed off and only opened for specific time periods where there is a requirement to connect to the server for maintenance by trusted third parties. Such specific mitigating steps can go a long way in protecting an organisation’s data.

Mitigating against evolving threats

However, threats and their methods of delivery are ever evolving. Threat actors are constantly upgrading their tactics and learning from others’ operations. Cybercriminals in particular are very agile in adopting nation states’ tactics. Although we have yet to see Russia’s tactics replicated, the relatively low level of skills required will likely render them attractive to criminals, who already scan for exposed RDP servers to deliver targeted ransomware. Moving to scanning devices with other types of open ports would not be that different.

The potential for wider exploitation of exposed network devices means that companies should prioritise securing them. Although the threat is significant, cost-effective solutions can go a long way to mitigating it. This joint US-UK alert covers one operation by Russian state-sponsored threat actors; different threat actors, at different times, will employ different tactics to achieve similar aims. The threat to European and US critical national infrastructure is constantly evolving, so the first step for a resilient organisation remains a nuanced understanding of shifting threats and how they could affect your organisation.