The FBI has warned that the Russian government is targeting computer networks and critical infrastructure across the USA and around the world running outdated networking devices.
Russia’s Federal Security Service (FSB) has collected configuration files for “thousands of network devices” linked to US organizations in critical infrastructure sectors, the FBI said in a statement last week. Files were modified to enable unauthorized access, which was used to conduct reconnaissance of the victims’ network.
The attackers are exploiting several outdated policies an unpatched vulnerabilities, including networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI), the FBI wrote.
This vulnerability was first uncovered and patched more than seven years ago, March 2018.
As reported at the time, the attack allows an unauthenticated attacker to trigger a denial-of-service attack (DoS), or execute code of their choice on an affected device.
It’s since been reported that this vulnerabilities has also been targeted by other state actors, including state-backed Chinese hackers.
These recent attacks have been attributed to “FSB Center 16,” a group more commonly known in the cybersecurity industry as “Beserk Bear,” AKA, Static Tundra, DragonFly, etc,).
The primary targets are vendors telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe, according to threat researchers at Cisco Talos.
Cisco Talos have published a comprehensive overview of the methodologies used by the group, which you can read here.
Who are Beserk Bear?
Beserk Bear is an APT group made up of hackers either directly employed by FSB agents or civilian hackers who have been contracted to augment its capabilities.
According to a report delivered to the US Congress, Beserk Bear are:
“Capable of manufacturing their own advanced malware tools and have been documented manipulating exposed malware to mimic other hacking teams and conceal their activities. Reporting indicates the FSB oversees training and research institutes, which directly support the FSB’s cyber mission.”
The group most commonly targets utilities infrastructure, like water or energy. It has targeted multiple state and local government networks in the US and around the world.
In 2020, it was reported that the group had been linked to attacks on multiple VMWare systems during the pandemic as many companies were forced to shift to home working.
Months later, the German intelligence agency issued a warning that the group was targeting companies in the German energy, water, and power sectors.
In 2022, the UK and US intelligence services pulled together a comprehensive timeline of the group’s activities following Russia’s invasion of Ukraine, which revealed a global campaign of cyberattacks across Europe, America, and Asia.
At least four Russian government employees have been indicted and charged for historical hacking campaigns linked to the group.
How To Stay Protected
On May 6, the American cybersecurity agency, CISA, published a comprehensive set of mitigations for operational technology providers to stay protected against cyber-attacks.
The Cisco Talos team have also published a comprehensive list of mitigations. These include:
- Applying the patch for CVE-2018-0171.
- Applying security best practices such as updating access controls, network segmentation, and user training
- Enforcing multi-factor authentication
- Updating devices as ‘aggressively as possible’
- Replacing end-of-life hardware and software
Read More
FBI warns of Russian hacks targeting US critical infrastructure
Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure
