Joint technical alert comes with guidance on how to protect critical infrastructure

The US and the UK have released their first ever joint statement condemning ongoing cyber-attacks by Russia and issued advice on how to mitigate future risks from foreign interference.

Representatives from the FBI, Department of Homeland Security (DHS), and the UK’s National Cyber Security Centre (NCSC) spoke to journalists on a conference call yesterday, where they revealed the extent of malicious cyber-activity by Russian state-sponsored actors on internet and communication infrastructure worldwide.

The attacks, they said, primarily targeted government and the private sector enterprises through exploits directed at network devices – routers, switches, firewalls, and network intrusion detection systems.

These intrusions, some of which the NCSC said it had been tracking for around a year, were carried out predominately for purposes of intellectual property theft, surveillance, and laying the groundwork for future espionage.

The US government is reported to have been aware of cyber-actors exploiting vulnerabilities in both business and residential routers since 2015 – part of a wider operation dubbed ‘Grizzly Steppe’.

While Russia stood out for most of the talk, Rob Joyce, White House Cybersecurity Coordinator, was quick to point to attributions and sanctions also put on the likes of North Korea, Iran, and China for their own aggression against Western allies in cyberspace.

“When we see malicious cyber activity, whether it be from the Kremlin or other nation state actors, we’re going to push back,” he said. “The actions that you’re seeing today are just one in a series of steps that really address this unacceptable activity.”

The technical alert was released to hold the Kremlin to account, while seeking to improve cyber defences at the same time, as the sheer prevalence and increased connectivity of Internet of Things (IoT) devices has provided an easy target for assailants to exploit.

Attackers are namely able to identify security vulnerabilities within these devices, and then leverage them to obtain credentials, gain access to and change data, and map network infrastructure for monitoring.

Billions of machines targeted

No malware attacks were used, with assailants preferring to take advantage of end-of-life devices that no longer support security updates.

“These are billions of machines globally being targeted,” said Ciaran Martin, CEO of the NCSC.

“And they’re around trying to seize control over connectivity, so in the case of targeting ISPs, gaining access to their customers and trying to gain control over the devices to allow them not just to spy on a primary organization, but indeed the organizations that they connect to.”

Martin confirmed that routers within the British government had been targeted, and that more assessments needed to be carried out in order to determine the full scope of interference.

Damage, he said, had been caused to infrastructure in the UK. And while the extent of this damage was not detailed, Marin said most of the successful attacks were the result of poor security practice.

“The guides that we are publishing today will help people deal with this [exploiting of devices] and make it less effective,” he said.

“Much of that advice, whether at enterprise or individual citizen level, is around following good practices with network configuration and patching.”

Secure by design

The alert follows recently announced guidance by the UK’s Department for Digital, Culture, Media & Sport (DCSM) that looks to implement a common code of practice for IoT devices in the home.

Highlighting the need for secure passwords to begin with IoT manufacturers, Joyce said: “Each of us has a role that we can play in securing our network against the Russian government, other nation states, and criminal actors.

“If you’re an end user, it’s about taking simple steps to safeguard your data and other personal information, changing those passwords and paying attention to the configuration of the device.

He added: “We need to place as much emphasis on security as we do the functionality, there’s no reason that security and design can’t be married together in elegant solutions.

“We want to encourage that evolution of our infrastructure.”