The U.S. is prepared to take aggressive action against Russia for a recent, extended campaign of cyberattacks on infrastructure assets around the world by compromising devices such as routers and firewalls, the White House cybersecurity coordinator, who has since left his position, said Monday.
“When we see malicious cyberactivity, whether it be from the Kremlin or other nation-state actors, we are going to push back,” Rob Joyce told reporters after the U.S. and the U.K. laid the blame for the attacks squarely on Russia’s shoulders.
Devices like routers are particularly enticing to hackers. “These devices actually make ideal targets,” said Jeanette Manfra, the top Homeland Security cybersecurity official. “When a malicious actor has access to this, they can monitor, modify, or deny traffic to an organization or from an organization externally.”
Joyce abruptly left his position just hours after speaking with reporters. His departure followed the resignation of White House Homeland Security Adviser Tom Bossert as well as others to who have resigned or been pushed out as John Bolton settles into the role of national security adviser.
David Ginsburg, vice president of Marketing at Cavirin, said the routers that were compromised “are only part of the attack and eventual impact.”
Envisioning what a future attack could look like, he pointed to “Mirai and Reaper, where the ultimate goal was a DDoS attack against other assets, most notably the Dyn attack that took down many internet properties in the U.S. and Europe,” noting that attacks “against servers or the internet infrastructure itself is the most probable scenario, with the routers managed as a botnet against corporate or government assets.”
Marina Kidron, who heads up cyber vulnerabilities research for Skybox Security, said there has “been a 120 percent increase in the vulnerabilities affecting what is known as operational technology in the last 12 months.”
Troubling to cybersecurity pros is that hackers are not relying on cutting edge techniques or “using a stockpile of zero-day vulnerabilities that no one has previously discovered” to do their dirty work, said Nathan Wenzler, chief security strategist at AsTech. Instead, they are plying security holes such as unpatched, misconfigured or neglected devices. “There’s no great skill or trick in this, but they are simply taking advantage of the poor effort we all make to ensure that devices we attach to the internet are configured well and secured.”
Users are unlikely “to know for certain if their router has been compromised or not,” he said. “Since there’s no real exploit being taken advantage of here, it’s likely that everything will look normal from the outside.”
Noting that “the rise in frequency and scope of cyberattacks on governments and critical infrastructure points to a modern form of stealth warfare that can disrupt the availability of basic goods and services across the world,” Eddie Habibi, founder and CEO of PAS Global, said “countries must come together to recognize the seriousness of bad actors’ cyber capabilities” to combat what he sees as a global phenomenon.
“During this time of severe political tension, it’s imperative that countries such as the U.S. and U.K. present a united front to establish global treaties on rules of cybersecurity engagement, as well as create alliances to foster information sharing,” he said. “This, combined with greater collaboration between governments and their local infrastructure companies, is the best way to ensure proactive movement towards greater critical infrastructure security.”
“These are computer-connected control systems for running critical processes in power generation and supply as well as similar functions in other utilities like water,” said Kidron, noting that unless the vulnerabilities are addressed, they “can be exploited by adversaries, as we discovered with the NotPetya and other incidents last year.”
Since attackers will continue to up the level of sophistication in their attacks against infrastructure, “defenders must be equally resourceful,” said Nozomi Networks founder and Chief Product Officer Andrea Carcano. “Organizations need to ensure critical infrastructure resilience so that risks from wherever and in whatever format can be identified and remediated.”
Matt Walmsley, head of EMEA marketing at Vectra, said “enterprises should take another look at how they’re securing their network infrastructure.”
He advised organizations not to “leave the door wide open,” noting that they should be current with network infrastructure software updates and patches. “Then make sure you’re not exposing your equipment’s management interfaces and ensure you have changed the default admin credentials,” said Walmsley. “For perimeter devices with internet connectivity this is doubly important.”
While that may seem like the stuff of “cybersecurity 101,” Walmsley pointed out that “only last month, default settings in some Cisco switches allowed over 168,000 devices exposed to the internet to be identified as vulnerable to illicit remote command execution via an admin protocol.”
Walmsley also contended that “firmware may not be that firm,” leaving it open to compromise by advanced attackers. But “with recent advances in AI-based behavior threat detection, we can now spot in real-time the very subtle signals attackers use to perform command and control orchestration to devices that have compromised firmware by looking for the attacker’s “knocking” signals hidden within legitimate communications,” he said. “With that actionable insight, platforms can be completely reset and their firmware, OS images, and configs reloaded from known good sources.”