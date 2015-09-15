(Adds comments by FireEye CEO, possible involvement of a
national agency; refiled to modify this advisory)
By Eric Auchard
FRANKFURT, Sept 15 Security researchers say they
have uncovered clandestine attacks across three continents on
the routers that direct traffic around the Internet, potentially
allowing suspected cyberspies to harvest vast amounts of data
while going undetected.
In the attacks, a highly sophisticated form of malicious
software, dubbed SYNful Knock, has been implanted in routers
made by Cisco, the world's top supplier, U.S. security
research firm FireEye said on Tuesday.
Routers are attractive to hackers because they operate
outside the perimeter of firewalls, anti-virus, behavioural
detection software and other security tools that organisations
use to safeguard data traffic. Until now, they were considered
vulnerable to sustained denial-of-service attacks using barrages
of millions of packets of data, but not outright takeover.
"If you own (seize control of) the router, you own the data
of all the companies and government organisations that sit
behind that router," FireEye Chief Executive Dave DeWalt told
Reuters of his company's discovery.
"This is the ultimate spying tool, the ultimate corporate
espionage tool, the ultimate cybercrime tool," DeWalt said.
The attacks have hit multiple industries and government
agencies, he said.
Cisco confirmed it had alerted customers to the attacks in
August and said they were not due to any vulnerability in its
own software. Instead, the attackers stole valid network
administration credentials from targeted organisations or
managed to gain for themselves physical access to the routers.
"We've shared guidance on how customers can harden their
network, and prevent, detect and remediate this type of attack,"
Cisco said in a statement.
CYBERSPIES SEEN RESPONSIBLE
Altogether FireEye's computer forensic arm Mandiant has so
far found 14 instances of the router implants in India, Mexico,
Philippines and Ukraine, the company said in a blog post at bit.ly/1ObMm7u.
It added that this may be just the tip of the iceberg in terms
of yet-to-be-discovered attacks.
Because the attacks actually replace the basic software
controlling the routers, infections persist when devices are
shut off and restarted. If found to be infected, FireEye said
basic software used to control those routers would have to be
re-imaged, a time-consuming task for technicians.
Hitherto, infections of commercial routers, while not
unknown, have largely remained theoretical threats, DeWalt said,
as distinct from routers consumers use at home, which according
to media reports have been hit by malware in recent years.
Experts reckon there are only a small number of nations with
cyber intelligence services which are capable of such attacks on
network equipment, including those of Britain, China, Israel,
Russia and the United States.
"That feat is only able to be obtained by a handful of
nation-state actors," DeWalt said, while declining to name which
countries he suspected might be behind the Cisco router attacks.
The malicious programme has been nicknamed "SYNful" in
reference to how the implanted software can jump from router to
router using the device's syndication functions.
Network logs from infected routers suggest the attacks have
been taking place for at least a year, FireEye's CEO said.
The implanted software, which duplicates normal router
functions, could also potentially affect routers from other
makers, DeWalt said.
Infected hardware devices include Cisco routers 1841, 2811
and 3825, FireEye said. Cisco had discontinued selling the
products but still supports customers using them.
FireEye said it was only announcing its discovery after
working with Cisco to quietly notify governments and affected
parties. "We thought it was best to release this so everyone can
fix their routers as fast as possible," DeWalt said.
(Additional reporting by Joseph Menn in San Francisco; Editing
by Louise Heavens and Greg Mahlich)