Russia’s Grizzly Steppe gunning for vulnerable routers

The Russian Government’s hackers – codenamed “Grizzly Steppe” – stand accused of trying to turn millions of routers against their owners.

After the stream of recent accusations levelled by cyber-authorities in the US, UK and Australia, it was probably inevitable that Russia would be formally accused of targeting network infrastructure at some point.

That happened yesterday, in the bludgeoning co-ordinated style that now marks out every official statement regarding Russia and cyberwarfare.

Stated US-CERT:

Since 2015, the US Government received information from multiple sources – including private and public-sector cybersecurity research organizations and allies – that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide.

These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.

In fact, Grizzly Steppe was first mentioned in late 2016 when the FBI published its first report on the group’s alleged activities.

There will perhaps be two public reactions to this remarkable accusation, the first being to wonder what routers are and why they matter so much that Russia would want to target them.

The second may be to wonder why it has taken these countries so long to point out the phenomenon of co-ordinated router compromise – something that a variety of groups have been engaged in for at least a decade without much fuss being made about it.

In case the alert sounds a bit vague, the UK National Cyber Security Centre (NCSC) followed up the warnings with a document explaining in some detail the hardware weaknesses the Russians are alleged to be exploiting.

Switches, firewalls, and Intrusion Detection Systems (IDS) are all on the Russian target list but the central importance of routers in homes and offices made them prized targets, it said.

Products aren’t named beyond a few generic references to Cisco and Juniper, both of which are of course known to be extremely common in ISP networks.

However, what is made clear is the type of product vulnerable to Russian takeover. This includes:

  • Devices not set up securely (default passwords, too many interfaces/protocols left turned on)
  • Legacy devices using “unencrypted protocols or unauthenticated services” (presumably a reference to managing routers using Telnet or via HTTP)
  • End-of-life devices no longer receiving security patches

It lists numerous technical mitigations that a well-informed engineer would already know about and a series of Grizzly Steppe Indicators of Compromise (IoCs) they might not.

Reflecting the number of vulnerable devices, a Reuters report quotes a source at the British government’s National Cyber Security Centre as numbering targeted systems in the millions.

A separate warning put out by Australian authorities said that “that potentially 400 Australian companies were targeted”, although without “any exploitation of significance.”

The alerts are best understood as part warning, part political theatre.

For the Russians, it’s about making crystal clear that the defenders can see what they’re up to, which holds an implicit threat in return – if you target our routers we can do the same to yours.

The idea that we might be on the edge of an age of cyberattacks followed by retaliation is pretty scary if, indeed, that line hasn’t been quietly crossed already.

For companies, equipment makers and service providers, it’s a way of saying that the good times are over, you can’t take router security for granted.

Everyone should take basic precautions to defend their customers, and themselves, and not just hope for the best or assume the government will step in to save them.