US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups

US and allies warn of Russian APT groups targeting routers and network devices to compromise critical infrastructure worldwide.

The US and allied governments warn that Russian state-sponsored APT groups are scanning and exploiting poorly secured network devices, especially routers, to access critical infrastructure. Groups linked to FSB Center 16, including Berserk Bear, Energetic Bear, Ghost Blizzard, Crouching Yeti, Dragonfly, and Static Tundra, have targeted organizations in communications, defense, energy, finance, government, and healthcare sectors.

“Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks.” reads the joint advisory.”

Russian FSB Center 16 actors mainly target poorly configured network devices, especially routers, by scanning the internet for exposed SNMP services with weak or default credentials.

They use spoofed requests to steal device configurations and move them to attacker-controlled servers through TFTP or FTP. The group also exploits known Cisco vulnerabilities and management interfaces. These techniques are not unique to Russia and overlap with other nation-state actors, so the recommended protections help defend against multiple threats.

“The Russian FSB Center 16 cyber actors primarily use scanning to identify poorly configured networking devices, primarily routers, for exploitation. The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication” continues the joint advisory.

“While SNMP scanning is the primary method the actors use to discover and exploit poorly configured networking devices, they occasionally exploit common vulnerabilities and exposures (CVEs) in Cisco devices, Cisco’s Smart Install (SMI) functionality, and web portals to manage network devices.”

Russia-linked threat actors have also exploited known vulnerabilities, including CVE-2018-0171 and CVE-2008-4128, to compromise network devices. Their techniques overlap with other threat groups, such as Salt Typhoon.

Network defenders should strengthen router security by disabling Cisco Smart Install, replacing SNMPv1/v2 with SNMPv3 using strong encryption, and enforcing unique passwords with secure storage.

Organizations should monitor SNMP activity, restrict management access through ACLs, block unnecessary ports such as TFTP, SMI and SNMP from external networks, and detect suspicious configuration changes. They should also keep firmware updated, replace unsupported devices, and use attack surface management tools to identify exposed systems and weak configurations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter