How Vulnerable is the UK to a Russian Cyber-Attack

US And UK Issue A Rare Joint Technical Alert Warning Of Potential Russian Cyber-Attack

 

Over the past month or so, British and Russian relations have reached an all-time low.  First, there was the poisoning of former Russian military intelligence officer and British spy Sergei Skripal and his daughter Yulia Skripa in Salisbury.  They were targeted with the chemical Novichok, developed in the last years of the Soviet Union.  Evidence in an ongoing investigation suggests it was planted on the door-handle of Mr Skripal’s home in early March[1].  British Prime Minister, Theresa May took the unprecedented step of saying it was “highly likely” Russia was responsible for the attacks and expelled 23 Russian diplomats from the country[2].

In April, relations were further strained when the UK and France took part in a US-led missile strike against what they claimed were Syrian chemical weapons facilities in response to a chemical weapons attack in a Damascus suburb which targeted civilians[3].

Given the international tensions between Russia and the West, there has been a lot of talk regarding the prospect of Moscow launching a cyber-attack on the UK or America, paralysing their infrastructure.  Although this may sound far-fetched, on 16th April 2018, a joint technical alert, based on analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) was issued[4].  The alert warned members of the public and businesses to be alert for Russian cyber actors.

The technical alert warned:

“Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to

• identify vulnerable devices;
• extract device configurations;
• map internal network architectures;
• harvest login credentials;
• masquerade as privileged users;
• modify
  • device firmware,
  • operating systems,
  • configurations; and
• copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.

Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router”.

Are all businesses vulnerable to a potential cyber-attack by Russia?

The technical alert stated the routers, switches, firewalls, and network intrusion detection systems at government and businesses were the main targets of Russian hackers, but it added that even “small-office/home-office customers” should take more protective action, as should Internet Service Providers (ISPs), and those managing their organisation’s infrastructure[5].

According to Wired Magazine, the FBI, the Department of Homeland Security, and the UK’s National Cyber Security Centre (NCSC) noted that multiple cybersecurity research groups had reported such activity since 2015.

“This is not something new, and is not something that has developed in response to Salisbury and Syria,” said Keir Giles, a senior consulting fellow of the Russia and Eurasia Programme at thinktank Chatham House. “But it’s something that is entirely consistent with how Russia thinks about information warfare.” That includes standard cyber-attacks as well as “targeting of mass consciousness and public opinion“[6].

The technical alert warns that network devices are the most vulnerable aspect of an organisation’s IT infrastructure.  It warns a “malicious actor” gaining access to the gateway router “has the ability to monitor, modify, and deny traffic to and from the organisation. A malicious actor with presence on an organisation’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts”.

Routers are often left unpatched or have old protocols which have never been encrypted.  The alert also states the Internet of Things (IoT), which is increasingly becoming omnipresent, provides an easy target for hackers.  Professor Alastair Irons, academic dean for the faculty of computer science at the University of Sunderland told Wired Magazine that to keep the price of the IoT relatively cheap and make it easy to use to appeal to a large market, security is often weaker than it could be.

Routers provide an ideal target for cyber-hackers as, unlike when a laptop is attacked by Malware, an owner is unlikely to know their router has been compromised.  This allows it to be held for future use.

What can companies do to protect themselves from a Russian cyber-attack?

No matter what the size of your organisation, it is imperative to update the firmware on all networking equipment, and ensure your ISP contracts require software providers to make new security patches available when needed.  This will have the added benefit of protecting your organisation from other cyber criminals who use the same cyber espionage strategies as Russian state-sponsored hackers.

In addition, organisations should not allow unencrypted (i.e. plaintext) management protocols (e.g. Telnet) to enter an organisation from the Internet.  When encrypted protocols such as SSH, HTTPS, or TLS are not possible, the alert states management activities from outside the organisation should be done through an encrypted Virtual Private Network (VPN), whereby both ends are mutually authenticated.

Finally, everyone, be it an individual or a business should use strong passwords and never use the same password across multiple devices.  Any default passwords should be changed immediately, and legacy passwords deleted.

Final words

The unprecedented release of a joint technical alert by the US and UK shows how serious the Russian threat to cyber-security across the globe is.  Cyber-warfare is already occurring to a degree – for example in February 2018, Russian cyber-spies tricked employees at US defence companies into exposing their emails.  The security companies targeted were working on sensitive defence contracts, including weaponised drones, missiles, and stealth fighter jets[7].  The hackers were a group known as ‘Fancy Bear’, who are believed to have links to the Russian administration and may receive funding from the Kremlin[8].

Regardless of whether the threat is from Russia or a criminal gang with no political leanings, businesses and individuals now have more responsibility than ever to protect their IT infrastructure; not only for their own sake, but for the safety of the wider community.

Lineal is a global leader in providing cyber security advice and support.  To find out more about our other services, please call us on +44 (0)20 7940 4799 or email info@linealservices.com.

Do you have any comments to make on this article?  Please feel free to add them in the comments section below.

[1] https://www.nytimes.com/2018/04/01/world/europe/russia-sergei-skripal-uk-spy-poisoning.html

[2] https://www.independent.co.uk/news/uk/politics/theresa-may-russia-poisoning-spy-nerve-agent-sergei-skripal-salisbury-elections-crimea-a8252381.html

[3] https://www.theguardian.com/world/2018/apr/14/syria-air-strikes-us-uk-and-france-launch-attack-on-assad-regime

[4] https://www.us-cert.gov/ncas/alerts/TA18-106A

[5] https://www.wired.co.uk/article/russia-hacking-russian-hackers-routers-ncsc-uk-us-2018-syria

[6] Ibid

[7] https://www.independent.co.uk/news/world/americas/russia-hackers-us-contractors-trick-military-secrets-cyber-espionage-warfare-a8198451.html

[8] https://www.independent.co.uk/sport/football/news-and-comment/fancy-bears-who-are-hacking-group-doping-sport-football-russia-georgia-reedie-bach-a7906376.html