Articles & E-Books


Russian State-Sponsored Cyber Actors Are Targeting Network Infrastructure Devices

Apr 19, 2018

The FBI, Department of Homeland Security (DHS) and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint alert warning that Russian state-sponsored hackers are targeting public-facing networking equipment. While this is not a new or “zero-day” vulnerability like WannaCry, it still poses a serious threat to both businesses and individual home networks — it exploits vulnerabilities in network devices that were either insufficiently configured and installed or are no longer supported by the vendor.

Russian cyber actors are leveraging weak or legacy protocols and service ports and then using these weaknesses to:

  • Identify vulnerable devices
  • Extract device configurations
  • Map internal network architectures
  • Harvest login credentials
  • Masquerade as privileged users
  • Modify device firmware, operating systems and configurations
  • Copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure

These operations also can be used to stage future attacks by acting as compromised users, devices or companies in order to limit traffic, defraud or compromise other targets.

Why Are They Targeting Network Devices?

Once installed, many network devices are not maintained to the same security level as computers and servers. Other factors also come into play:

  • Operators of network devices often do not change vendor default settings or perform regular patching
  • Few devices use antivirus and integrity-maintenance tools
  • Manufacturers build and distribute devices with exploitable services to make them easier to install, operate and maintain
  • ISPs do not replace outdated and unsupported equipment on a customer’s property
  • Operators often overlook network devices when investigating after a cyber intrusion

What Can You Do?

Going through the protocols on all of your public-facing network devices will help determine if you have exposure. Learn what protocols to review and what to look for by clicking here.

We also recommend businesses conduct a configuration audit of network devices (e.g., firewalls, routers and switches) to determine if your infrastructure is vulnerable to this Russian state-sponsored cyberattack. You should also “harden” these devices (i.e., turn off services and ports not needed for business reasons) to limit the potential attack surface.

How Can We Help?

Using Wipfli’s Network Device Configuration Assessment, you can evaluate general network design as well as identify:

  • Potential weaknesses in protocol use and configuration
  • Weak and unused rules
  • Weak passwords and authentication
  • Best practice industry standards, such as NIST, STIG and CIS

The Network Device Configuration Assessment requires no agent or direct access to your network. It’s as simple as backing up your network configurations to files so we can run them through our audit tool and have one of our cybersecurity experts review them.

For more information, or to schedule service, contact Jeff Olejnik  or your Wipfli Relationship Executive.