FBI Warns Russian Hackers Targeted 'Thousands' of Critical US Infrastructure IT Systems

The Hill reports: Russian state-sponsored hackers have targeted thousands of networking devices associated with U.S. critical infrastructure sectors over the past year, the FBI warned Wednesday. The cyber actors are associated with the Russian Federal Security Service's (FSB) Center 16 and have taken aim at a vulnerability in certain Cisco devices, according to an agency public service announcement.

In some cases, hackers have been able to modify configuration files to enable unauthorized access, which they have used to conduct reconnaissance on networks. This has "revealed their interest in protocols and applications commonly associated with industrial control systems," the FBI said.

Cisco's threat intelligence research arm, Talos, explained in a separate advisory that a subcluster of this group, which it has named "Static Tundra," is targeting a seven-year-old vulnerability in the company's Smart Install feature. The firm has offered a patch for the vulnerability, but it remains a problem in unpatched and end-of-life network devices, it warned.
"Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering," warns the Talos blog. "This is demonstrated by the group's ability to maintain access in target environments for multiple years without being detected."

In a statement emailed to The Register, a Cisco spokesperson "said the company is aware of ongoing exploitation targeting this flaw." "We strongly urge customers to immediately upgrade to fixed software versions as outlined in the security advisory and follow our published security best practices," the spokesperson said, directing customers to the FBI's announcement and Cisco Talos blog for additional details.

The ongoing campaign targets telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe, "with victims selected based on their strategic interest to the Russian government," according to Talos researchers Sara McBroom and Brandon White. "We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government," McBroom and White wrote.

And while both security alerts focus on the FSB's latest round of network intrusions, "many other state-sponsored actors also covet the access these devices afford," the Talos team warned. "Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well."
Some context from Hot Hardware: Cisco indicated in its advisory that "Only Smart Install client switches are affected by the vulnerability". The list of affected devices is in Table A-1 here. For a successful attack, hackers exploit a vulnerability tracked as CVE-2018-0171. This was a vulnerability that was patched way back in 2018.

Man Russia is getting a lot

[50000BTU_barbecue]

Of mileage out of washing machine CPUs!

They stopped using Windows11 ..

[burni2]

.. so they can get much more mileage out of decent and very cheap 2nd hand hardware.

Re:

[gweihir]

I know you are just trolling. But at least try to post something halfway intelligent. Washing machines have never counted as "critical infrastructure".

Re:

[Anonymous Coward]

If *you* had kept up with the news you would know that Kazakhstan has been exporting unusually large shipments of household 'smart' whitegoods such as fridges and washing machines to Russia for repurposing.

https://time.com/6226484/russi... [time.com]

Re:Man Russia is getting a lot

[fahrbot-bot]

Washing machines have never counted as "critical infrastructure".

So, what you're saying is... you don't have kids. :-)

Work on your comprehension

[_merlin]

The GP is implying Russian hackers are using computers based on washing machine CPUs to launch these attacks because sanctions prevent them from obtaining Intel/AMD/Qualcomm/etc. CPUs. They aren't implying that the Russians are hacking westerners' washing machines.

Critical Systems?

[dbialac]

Why are critical systems on the internet?

Re:

[namgge]

Why is Russia on the internet?

Re:

[hcs_$reboot]

Why is Russia?

Because we let them.

Re:

[gweihir]

Because everybody is in the Internet. Incidentally, removing Russia would do exactly nothing because they would just use some servers in other places. Takes some minimal insight to understand that though. The only thing that would work to a limited degree is to remove the US from the Internet and then completely close the borders and manufacture all electronics and software domestically. Pretty impossible to do.

Alternatively, we could start make operators of critical infrastructure liable if they do not use

Re:

[dbialac]

Because everybody is in the Internet. Incidentally, removing [russia] would do exactly nothing because they would just use some servers in other places.

OMG. Captain Picard is rolling in his future grave. That's the freaking point. This isn't about taking russia off the internet. It's about taking our critical infrastructure off of the internet and there is nothing to hack into.

Re:

[gweihir]

Which is impossible at this time. Unless you want to build up a second network? Or but some easily cut wires on poles instead?

Seriously, using the Internet is NOT the problem here.

Re:

[dbialac]

I don't think you're understand what I'm saying. There should be no network at all. Nothing to hack into. Instead, personnel who know what they're doing on site 24/7. Nobody works from home. This stuff all worked before the internet.

Re:

[ole_timer]

cost savings

Re: Critical Systems?

[Dragonslicer]

Because some of them are part of the Internet?

Re:

[dbialac]

Let me clarify: water, power, gas, sewage. Why are these on the internet? They go down and we're in a really bad situation. I've been through enough natural disasters in Florida and North Carolina to know what that's like. Given that, I have an idea how catastrophic that will be if that happens everywhere. In the disasters I've been through, utility companies come in from all over the country to help out. They won't be available if everything is wiped out. The entire country will be crippled. If these utili

Re:

[jenningsthecat]

I agree with your sentiment, but something you said needs to be expanded upon:

Let me clarify: water, power, gas, sewage. Why are these on the internet? They go down and we're in a really bad situation.

Some people may not realize that managing these items has become so complex that computers and data comms are critical. We can and should discuss whether or not the open internet is a suitable backbone for the job, either as a primary or as a backup. But wide-area data communications in utilities management is a necessity.

Personally, I'd like to see closed networks using dedicated lines and microwave towers as required. That would

Re:

[gweihir]

The open Internet is fine for this. But if you use insecure communication (a VPN link, even only via lowly OpenSSH would fix the links) and crappy, insecure control systems (Windows, easily fixed by using hardened Linux or xBSD), then it is not going to be secure overall. IT Security can be done right, it is known how to do it right, but greed, incompetence and no liability makes the operators of critical infrastructure use tech that does not cut it configured and operated by people that do not cut it.

Re:

[sound+vision]

Linux helps, but it isn't magic. Even with proper administration, it may not stand up to attacks from a nation-state.

I also get the feeling that Linux may be coasting on brand name to an extent. Its absolute security seems to have lessened over the decades. I'm not a security expert, but plenty of them have made noise about systemd, among other things.

For critical infrastructure, I'd ideally like to see something custom, running on bare metal, with a very expensive and meticulous development process with se

Re:

[gweihir]

Linux helps, but it isn't magic. Even with proper administration, it may not stand up to attacks from a nation-state.

Maybe. Or maybe not. Hardened Linux with minimal attack surface is pretty tough, as in "you are not getting in unless you get lucky". In any case it will massively increase the cost of getting into. Like "risk losing that $1M zero day". And hardened NetBSD, for example, is even tougher. What allows a nation-state to get into a hardened target is typically not technological attacks but attacks on humans. But these are tricky, expensive, slow and may land your assets in prison. Not doable on the scale we are

Re:

[gweihir]

Remote control. Yes, this can be done right, e.g. via a VPN link. And no insecure MS crap on either side of that link. But that costs money.

Re:

[dbialac]

When was the last time there wasn't an a critical vulnerably, patched or unpatched, somewhere in a software system?

Re:

[gweihir]

Today.

Re: Critical Systems?

[dunqstooze]

So that the control operators can WFH.

Re:

[dbialac]

Which is exactly the problem. If you want to work from home, working from home isn't the right job for you.

Re:

[gweihir]

Simple: It is cheap, the operators are greedy bastards and there are no penalties for operating critical infrastructure insecurely. Oh, and the EU is in the process of changing that with NIS 2 (https://nis2directive.eu/what-is-nis2/) because it is a massive problem. I guess in the US, the orange moron will do exactly the opposite and let the "market" fix this. As if that could ever work: https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[strikethree]

Convenience... but you already knew that. The question you should be asking is why isn't security a higher concern.

What will be Trumps response to this aggression

[sixminuteabs]

Maybe he will give Putin another blowjob in the back of the beast

Re:

[hcs_$reboot]

After all the BJ he’s received recently, he’ll probably prefer something else.

Re:

[gweihir]

In any case, the prange moron will announce he can fix this in 24h and then will fix nothing, while claiming it has been fixed.

In other words...

[YuppieScum]

...America failed to realise that other people could follow their Stuxnet playbook, and so failed to ensure that the country's critical infrastructure was properly hardened against attack.

Of course, most of that infrastructure is in private hands, and shareholder dividends always trump investment.

Re: In other words...

[solo2racer]

If we ever get into a hot war with Russia or China, they're going to shut the US down as hard as the Cylons did in BSG 2004.

Re:

[gweihir]

Yes, they will. They may already do that if the trade-war escalates. Obviously, China is winning that one, so they have no motivation to do so. But remember that China (and Russia) have state-operated firewalls on all outside Internet connections.

Re:

[ArchieBunker]

My electricity supplier is owned by a consortium of global private equity firms. Remind me again why this was allowed to happen?

Re:

[gweihir]

Greed, stupidity and "Who is going to be hit? Somebody else? Then it is fine!". The latter is also how Microsoft and some others do IT security these days. Absence of liability will do that.

Re:

[gweihir]

Of course, most of that infrastructure is in private hands, and shareholder dividends always trump investment.

Which is why in countries that do not pray to the great god of mammon, there is regulation and liability. Example: https://nis2directive.eu/what-... [nis2directive.eu]

Re:

[wyHunter]

And this vulnerability is something that has been known for, what, 25, 30 years? Are we supposed to be shocked?

cyber defence

[homerbrew]

It comes right when our "leader" killed our cyber defense and actively removed any monitoring of Russia (probably he was commanded to by Putin). We are so screwed thanks to the incompetence pouring out of DC today.

Re:

[jacks smirking reven]

His supporters would say this is his "madman" negotiating style but it's been 9 years of this and what great deal has his tactic or in general has he made that nobody else could have? Nobody believes him, it's all for show, he's a coward and a terrible negotiator.

Re:

[gweihir]

He does not seem to be a negotiator at all. All he seems to do is make threats and then take whatever deal the other side offers.

Re:

[gweihir]

An this works because the average moron (like the person that moderated this down) is even dumber.

Re:

[gweihir]

Naa, the US will simply become a state in Russia (or China) longer term and then the problem will be solved.

tRumo dismantled cyber security for Russia

[SysEngineer]

tRump shut down the cyber security group the protected the US from Russia attacks

Trump's Boyfriend at it Again

[BrendaEM]

We have too many traitors in the country.

Re:Trump's Boyfriend at it Again

[sacrilicious]

So were Trump and Satan just a summer thing?

Re:

[antdude]

Even Satan is annoyed with Trump.

What did anyone expect?

[Lobotomy656]

President Epstein dismantled US cybersecurity like the good KGB agent he is, stopped monitoring for threats so they have an easier time and publicly said "what you gonna do?" when asked by the press about those attacks. Repeat after me: US elected russian agent Krasnov as president and the GOP is ecstatic about it.

Re:

[zurkeyon]

An old saying that rings true 100% of the time... "There is always someone better..."

Re:

[bleedingobvious]

Public Service Announcement

zurkeyon is a habitual AC hero who loves to REAP what it has SEWN [slashdot.org]. It is also a raving loon.

Responder beware

Re:

[zurkeyon]

All we heard was.... "Waaaaaa he won't let me troll my kiddie little balls off.... WAAAAAAAAAAA!!" Shut the fuck up clown. ;-)

Re:

[zurkeyon]

Yeah... I'm in there rent free ;-) (Thanks for showing everyone that!) LOLOLOL!

Re: Start using Bait...

[drinkypoo]

I think you've watched Hackers and/or ID4 too many times.

"was patched"?

[clovis]

The summary had a comment from the Cisco advisory, "This was a vulnerability that was patched way back in 2018." I doubt that is true.

A correct statement would be "This was a vulnerability for which a patch was released way back in 2018."
Speaking as a retired sysadmin, I can assure you those two sentences are not the same at all.

Re:

[gweihir]

Indeed. Especially when that "patch" did break other stuff or require effort or downtime to be installed. And not liability for not doing it.

This is Cisco's fault

[Posthoc_Prior]

Here are details of the hack:

The hackers used an exploit, that's been known for Cisco for about 2 years. It's called CVE-2018-0171 and affects Cisco IOS and IOS XE software. Specifically, it's a bound checking error that can be attacked using UDP on one specific port. What the hackers did was simply execute a buffer overflow attack on the HTTP format of the authentication. That is, they overrode the authentication with an executable script, which obviously writes over the memory address denying anyone not authorized, to gain root access.

Cisco has advertised that this was a potentially dangerous exploit but said that they won't issue a patch:

https://www.bleepingcomputer.com/news/security/cisco-warns-of-auth-bypass-bug-with-public-exploit-in-eol-routers/

Here's a quote from the linked article: Despite rating it as a critical severity bug and saying that its Product Security Incident Response Team (PSIRT) team is aware of proof-of-concept exploit code available in the wild, Cisco noted that it "has not and will not release software updates that address this vulnerability."

Instead, Cisco sent out warnings about which ports should be blocked from sending and receiving UDP packets

Re:

[gweihir]

Well, it is the 3rd rated peddler of insecure crap known as "Cisco". What do you expect? Made cheaply, sold expensively, and who cares about customers getting hit.

The Presidency will render an opinion ...

[hcs_$reboot]

in two weeks.

One word

[hcs_$reboot]

Disgusting.

And the REAL story is

[gweihir]

Thousands of US critical infrastructure IT systems operated by greedy assholes and morons that could not be trusted to secure anything. And no penalties for endangering critical infrastructure by operating it insecurely.

And, that is not "victim" blaming. That is blaming the perpetrators. A situation this abysmally bad can only arise when the ones getting attacked are effectively actively helping those doing the attacks.

This is what the trump admin wants

[BubbaDave]

Cyberattack disables power grids, water systems, phone systems, the internet, martial law declared, elections canceled, permanent rule by the project 2025 fascists.