The UK and US have issued a joint warning on sustained malicious cyber activity by Russian Government cyber groups. The US has called the campaign Grizzly Steppe. Both countries say that the cyber attacks have been ongoing for several years.
The two countries held a joint press conference to talk about this alert. Rob Joyce, White House Cybersecurity Coordinator said there was “high confidence” that these attacks were Russia led. His view was echoed by the US Department for Homeland Security (DHS), FBI and the UK National Cyber Security Centre (NCSC).
The NCSC statement says that the attacks are targeted at: “primarily government and private-sector organisations, critical infrastructure providers, and the internet service providers (ISPs) supporting these sectors.
“Specifically, these cyber exploits are directed at network infrastructure devices worldwide such as routers, switches, firewalls, and the Network Intrusion Detection System (NIDS).”
These attacks are not just focused on large organisations. The attacks seek to compromise the network equipment of small office home office (SOHO) customers. One of the reasons is that these are believed to be less secure and less likely to be regularly monitored.
What is the scope of Grizzly Steppe?
When asked about the size of the attacks, Ciaran Martin, CEO of the National Cyber Security Centre said: “Millions of machines globally are being targeted.” He went on to say that the goal appears to be an attempt to seize control over connectivity. By doing so it will: “Allow them to spy on primary organisations and those they connect to.”
This was a view echoed by Joyce. He said: “When you control the router and have access to the Internet backbone we worry about what they are used for.[It could be] DDoS, espionage or other offensive cyber attacks.”
When asked for more detail on what the attackers were after, Martin said: “It could be espionage, theft of IP or to reposition for use in times of tension.” This ties to the CNI Supply Chain alert that the NCSC issued last week and would explain the attacks against SOHO routers.
There has been a move for people to work from home. If their network routers have been compromised then the attackers can steal security credentials and attack corporate systems. Another reason for compromising those devices is to use them in botnets to launch Denial of Service attacks.
What should companies be doing?
Both DHS and the NCSC have plenty of information on their websites on how to protect networks and devices. This should be the first place that network teams should look. There is also plenty of good advice available from security vendors.
One of the interesting things about this press conference is who it was aimed at. In addition to telling organisations to review the security of the devices that they use, there was a message for network equipment manufacturers.
Organisations and end-users have been told to do more to secure their devices. Joyce said they should: “Change passwords and pay attention to the device.” Paying attention to devices means monitoring and patching them. Network devices are often installed and then forgotten about. This makes devices easy targets.
Jeanette Manfra, National Protection and Programs Directorate (NPPD) Assistant Secretary for Cybersecurity and Communications said: “While DHS cannot protect every network at all times, we can ensure that we are all collectively empowered to secure our networks through government and industry working together.”
The start point for network administrators is the latest technical advisory (TA) from the DHS. It contains details of the attacks and what they are targeting. It also contains a set of solutions that organisations and even individuals can take to mitigate attacks.
Time for manufacturers and ISPs to act
Manufacturers of network connected equipment have come under attack recently. Joyce had a message for manufacturers saying there is a need to: “Build devices from the ground up making them secure by design.” He continued by saying that devices: “Require a secure password from manufacturer.”
This is not a new message. The use of default passwords has been a concern for a while. There is also concern about the lack of security patches from manufacturers. The TA contains a list of things that manufacturers need to improve.
Internet Service Providers (ISPs) are also in the firing line. While some have invested in processes to ship with secure passwords and push updates to their devices, many do not. The TA says that they need to tighten their contracts with suppliers to force manufacturers to change behaviour. This is a far better approach than legislating as laws cannot keep up with the speed of technology changes.
However, getting ISPs to pressure manufacturers only works when the ISP provides the equipment. A lot of smaller ISPs leave it to the customer to buy and install their own router. For large organisations this should not be an issue. They should have processes to change passwords. However, many SOHO buyers will just install the router out of the box and then forget about it. Changing the default behaviour of the manufacturer must be matched with a change of behaviour from the end user.
What does this mean
State sponsored cyber attacks are a fact of life. The intelligence agencies have focused here on Grizzly Steppes and Russia. However, it is highly likely that the US, UK and other countries are conducting their own cyber attacks on Russia.
When questions around retaliation were asked in the press conference they were, to some degree, brushed off. Joyce did say: “We need to use asymmetric tools to respond to cyber intrusions. We will use all elements of national power. Issue defensive reports, indictments, sanctions, all elements of US power available.” While it stops short of openly saying retaliation is happening, it certainly implies it.
For companies including the SOHO market, more attention needs to be paid to changing passwords. Some organisations will respond to this warning and update the firmware inside their network equipment. Others will look at their password programme and make sure that routers and switches are included.
Sadly, many will do nothing. Changing the password for Wi-Fi in a large organisation is no simple task. It is not just the password changes but ensuring that users get the password securely. With the level of system compromise, emailing the password to users is self defeating. SOHO users are the least likely to change their systems. This is often due to a lack of technical knowledge.
All of this means that warnings are great but much more needs to be done to make securing the network a simple task.