Ministers have been told they can no longer say there have been “no successful examples” of Russian disinformation affecting UK elections, after the apparent hacking of an NHS dossier seized on by Labour during the last campaign.
The dropping of the old line is the first official admission of the impact of Kremlin efforts to distort Britain’s political processes, and comes after three years of the government’s refusal to engage publicly with the threat.
Cabinet Office sources confirmed the position been quietly changed while an investigation into the alleged hacking of the 451-page cache of emails from a special adviser’s personal email account by the security services concludes.
Boris Johnson and his predecessor as prime minister, Theresa May, have both appeared reluctant to discuss Kremlin disinformation, with Johnson refusing to allow a report on Russian infiltration in the UK to be published before the election.
Versions of the “no successful examples” statement were regularly deployed in response to allegations of Russian interference in the Brexit referendum, to the frustration of MPs who believed a full investigation was necessary.
Officials said the revised position about Russian interference was set out by Earl Howe, the deputy leader of the House of Lords, in a parliamentary answer earlier this year, when he was asked if there were plans to investigate interference by foreign governments in December’s election.
The peer said the government was determined to protect the integrity of the democratic process in the UK. “As you would expect, the government examines all aspects of the electoral process following an election, including foreign interference, and that work is ongoing,” he said.
Stephen Kinnock, a Labour MP, said the government was being slow in acknowledging the disinformation threat from Russia. “From the hacking of NHS emails to the St Petersburg troll factories and bot farms, it’s clear that the Kremlin is pursuing a deliberate strategy of online disinformation and manipulation that is undermining our democracy.”
Security sources said that Russian strategy of “hack and leak” and “disinformation and misinformation” – which first came to prominence with the hack of Democratic emails in the run-up to the 2016 US presidential election that handed victory to Donald Trump – was becoming widespread internationally.
Last month, the Foreign Office said Russia’s GRU spy agency had carried out a series of “large-scale, disruptive cyber-attacks” in Georgia “in an attempt to undermine Georgia’s sovereignty, to sow discord and disrupt the lives of ordinary Georgian people”.
But despite the strong words in support of an ally in the Caucasus, ministers had been reluctant to publicly call out any Russian disinformation efforts in the UK – and there has been little public acknowledgement of the NHS hack during the election, first reported by the Guardian.
The scale of the Russian threat will be examined in the long-awaited report on Kremlin infiltration into British politics from the independent intelligence and security committee, which cannot be published until Downing Street appoints a new set of members following the election.
Earlier this week, it emerged that among those in the frame were the error-prone former transport secretary Chris Grayling and recently sacked environment minister Theresa Villiers.
The NHS emails are believed to have been hacked from an adviser’s personal Gmail account, and were disseminated online via Reddit, under the headline “Great Britain is practically standing on her knees working on a trade agreement with the US”.
Initially ignored, the documents covering six rounds of UK-US trade talks were eventually picked up by Labour from the posting and produced during a dramatic press conference by Jeremy Corbyn, who said they showed the NHS was “on the table” in the negotiations.
Following an investigation, Reddit concluded “we believe this was part of a campaign that has been reported as originating from Russia” and said it bore the hallmarks of the earlier Secondary Infektion disinformation operation, which was exposed by Facebook in 2018.
The US Department of Justice indicted Russian national Yevgeniy Nikulin in several major cybercriminal offenses, such as stealing personal identities, usernames and credit card information of customers from Formspring, LinkedIn and Dropbox.
Nikita Kislitsin, an employee of a cybersecurity firm with offices in Moscow and Singapore Group-IB is an alleged co-conspirator in the Formspring 2012 case, according to the DOJ. Kislitsin joined the company in January 2013, about six months after the US prosecutors say Kislitsin tried to sell the Formspring data. US prosecutors have not alleged any wrongdoing by Group-IB.
Russian software firms are under scrutiny too after leading anti-virus software firm Kaspersky Labs, that has sold its software all over the world, was cooperating with the Russian Federal Security Service (FSB) – a claim the company has stringently denied.
Group-IB is a leading Russian cyber-security firm that also has an international clientele however, the company dismissed the charges against Kislitsin in statement the company shared with bne IntelliNews, as “only allegations,” arguing that no case has been made yet.
Indeed, Group-IB said that company representatives and Kislitsin met with representatives of the Justice Department to discuss Kislitsin research into hackers and the dark web that he conducted before joining Group-IB, while editor of the magazine “Hacker.”
From 2006-2012, Nikita Kislitsin was a famous journalist and as chief editor of Hacker wrote extensively about information security, programming, and computer network administration. The magazine paid particular attention to research into cyberattacks, analysis of cybercriminal groups’ tools, case studies of online fraud and hacking, and recommendations on cybersecurity measures and protection against cyberthreats. Kislitsin has also worked in the US as independent threat researcher in the US in 2012.
In Russia the cases of “poacher turned game-keeper” are common amongst the software engineering community and are usually amongst Russia’s best engineers.
Group-IB has offered to fully cooperate with the authorities as the company’s raison d’etre is to prevent cybercrime and hacking attacks. Like most countries Russia also suffers from digital crime and the Central Bank of Russia (CBR) reported earlier this year that Russian banks lost hundreds of millions of dollar to cybercrime in 2019. Last October the state-owned retail banking giant Sberbank was hacked and the personal details of millions Sberbank’s clients were offered for sale on the black marketing in what was Russia’s largest ever data breach, according to security experts. Group-IB regularly publishes research about payment fraud techniques and other cyber threat as a public service and has assisted international law enforcement in its investigations on occasion, according to a company spokesman.
Group-IB said it will support Kislitsin and has taken advice from international lawyers before taking its next steps. Kislitsin is currently employed as the head of network security, according to a company webiste
The indictment is short on details of the alleged crime and the evidence that has been publically released is based on little more than a conspiracy theory.
According to US press reports the case against Kislitsin is largely built on linking him to Yevgeniy Nikulin, a Russian national, who is set to stand trial in March in San Francisco for allegedly stealing 117mn usernames and passwords from Formspring, LinkedIn and Dropbox in a separate case.
Source: National Cyber Security – Produced By Gregory Evans University president says damage from the ransomware attack “can scarcely be conceived.” The University of Maastricht located in the Netherlands experienced a ransomware attack on December 24 and wound up paying the hackers 200,000 euros or $220,000 in bitcoin to unblock its computers, reports Reuters. “The […]
View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Aleksei Burkov, an ultra-connected Russian hacker once described as “an asset of supreme importance” to Moscow, has pleaded guilty in a U.S. court to running a site that sold stolen payment card data and to administering a highly secretive crime forum that counted among its members […]
View full post on AmIHackerProof.com
LONDON — Fears of Russian interference reared their head in the U.K. election this weekend after social media platform Reddit said it believed confidential British government documents were posted to the site as “part of a campaign that has been reported as originating from Russia.”
Reddit launched an investigation after opposition Labour Party leader Jeremy Corbyn brandished the leaked documents at a press conference last month.
The 451-page dossier appeared to reveal rounds of trade negotiations with the U.S. for a post-Brexit trade deal included mention of the country’s beloved National Health Service. Labour claimed they proved Prime Minister Boris Johnson would put the NHS “up for sale” to secure a deal with President Donald Trump.
The British government has not denied the authenticity of the documents. NBC News has not verified their authenticity.
Johnson, whose ruling Conservative Party leads in the polls entering the final week, has denied Corbyn’s claims about what they show.
A British government spokesperson told NBC News Sunday that “online platforms should take responsibility for content posted on them, and we welcome the action Reddit have taken.”
“The U.K. government was already looking into the matter, with support from the National Cyber Security Centre,” the spokesperson said.
Let our news meet your inbox. The news and stories that matters, delivered weekday mornings.
“We do not comment on leaks, and it would be inappropriate to comment.”
Reddit said late Friday that its investigation into the posts related to the leak revealed “a pattern of coordination” by suspect accounts that were similar to a Russian campaign called “Secondary Infektion” discovered on Facebook earlier this year.
The site also said it had banned 61 accounts suspected of violating policies against vote manipulation related to the original post, which was published in October.
Corbyn has not revealed how his party obtained the documents but defended the decision to use them.
Asked about Reddit’s conclusions at a campaign stop Saturday, Corbyn said the news was an “advanced stage of rather belated conspiracy theories.”
“When we released the documents, at no stage did the prime minister or anybody deny that those documents were real, deny the arguments that we put forward. And if there has been no discussion with the USA about access to our health markets, if all that is wrong, how come after a week they still haven’t said that?” he added.
He also criticized the government for failing to release a Parliamentary intelligence committee report on Russian interference in British politics before the election campaign began.
Thursday’s vote was called in an effort to break the deadlock that has left the future of the country’s relationship with the European Union uncertain.
But the future of Britain’s health care has emerged as a powerful rejoinder to the notion of a purely ‘Brexit election.’
Asked about the source of the leak this weekend, Johnson said: “I do think we need to get to the bottom of that.”
Culture minister Nicky Morgan claimed the leak raises concerns of Russian influence on British democracy and said the government is taking steps and “watching for what might be going on.”
“From what was being put on that (Reddit) website, those who seem to know about these things say that it seems to have all the hallmarks of some form of interference,” Morgan told the BBC. “And if that is the case, that obviously is extremely serious.”
But if Russia was behind the leak, its aim may not have been to help any particular side in the election, Lisa-Maria Neudert, a researcher at Oxford University’s Project on Computational Propaganda, told Reuters.
“We know from the Russian playbook that often it is not for or against anything,” she said.
“It’s about sowing confusion, and destroying the field of political trust.”
Linda Givetash is a reporter based in London. She previously worked for The Canadian Press in Vancouver and Nation Media in Uganda.
Belgian military will stop using GPS due to the Russia threat.
There have been 9,883 suspected incidents of GNSS hacking.
Russia can utilize low cost software to send spoofed GPS signals.
The Belgian army will stop using a GPS system due to a heightened risk of Russia’s disruption of the GPS signal. The Global Positioning System, originally NAVSTAR GPS, is a satellite-based radionavigation system owned by the United States government and operated by the US Air Force. The Belgian military will revert to the use of topographic maps and old fashioned compasses.
In modern mapping, a topographic map is a type of map characterized by large-scale detail and quantitative representation of relief, usually using contour lines. The announcement was made via De Morgen, a Flemish newspaper with a circulation of 53,860. The paper is published in Brussels.
Furthermore, Russia has been accused previously by Finland and Norway of interfering with the GPS signal during the NATO Trident Juncture Training exercise. The Trident Juncture 18, abbreviated TRJE18, was a NATO-led military exercise held in Norway in October and November 2018 with an Article 5 collective defence scenario. The exercise was the largest of its kind in Norway since the 1980s.
NATO publicly acknowledged the reckless Russian behavior of GPS signal interference. GPS is also a widely used application in the civilian world, including vehicles, phones, laptops, etc.
The US also believes that GPS is vulnerable to Russian and Chinese hacking. Merchant ships entering the Black Sea have reported the loss of the GPS signal near the Crimea. The same was reported previously in Syria, where the Russian troops were located. Israel accused Russia too of meddling with the GPS signal in their airports.
The Center for Advance Defense (C4ADS) released a report pertaining to the GPS Spoofing in Russia and Syria earlier this year. C4ADS is a US based nonprofit organization dedicated to data-driven analysis and evidence-based reporting of conflict and security issues worldwide.
C4ADS undertook a year-long study on the numerous attacks that have happened to the Global Navigation Satellite Systems (GNSS), including the U.S.-owned Global Positioning System (GPS). The study shows that there have been 9,883 suspected incidents of GNSS hacking at more than 10 locations, including 1,311 civilian maritime vessel navigation systems since February 2016.
All these instances have a Russian footprint. Navigation systems sound alarms when they recognize jammers. Spoofing systems create false signals that confuse GNSS systems, leading to severe consequences. As per C4ADS, Russia easily can utilize low cost, commercially available ‘software-defined radios’ (SDR) and open-source code capable of transmitting spoofed GPS signals.
Russia poses a true danger to the military and civilians in the West using GPS technology. Russia is notorious for hacking and has been utilizing a cyber warfare strategy for some time. The Kremlin conceptualizes cyber operations within the broader framework of information warfare, a holistic concept that includes computer network operations, electronic warfare, psychological operations, and information operations.
Russia is dangerous, due to their assumption of a more assertive cyber posture and based on its willingness to target critical infrastructure systems (GPS) and conduct espionage operations even when detected and even under public scrutiny.
LONDON (Reuters) – Russian hackers piggy-backed on an Iranian cyber-espionage operation to attack government and industry organizations in dozens of countries while masquerading as attackers from the Islamic Republic, British and U.S. officials said on Monday.
FILE PHOTO: A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. Kacper Pempel//File Photo
The Russian group, known as “Turla” and accused by Estonian and Czech authorities of operating on behalf of Russia’s FSB security service, has used Iranian tools and computer infrastructure to successfully hack in to organizations in at least 20 different countries over the last 18 months, British security officials said.
The hacking campaign, the extent of which has not been previously revealed, was most active in the Middle East but also targeted organizations in Britain, they said.
Paul Chichester, a senior official at Britain’s GCHQ intelligence agency, said the operation shows state-backed hackers are working in a “very crowded space” and developing new attacks and methods to better cover their tracks.
In a statement accompanying a joint advisory with the U.S. National Security Agency (NSA), GCHQ’s National Cyber Security Centre said it wanted to raise industry awareness about the activity and make attacks more difficult for its adversaries.
“We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them,” said Chichester, who serves as the NCSC’s director of operations.
Officials in Russia and Iran did not immediately respond to requests for comment sent on Sunday. Moscow and Tehran have both repeatedly denied Western allegations over hacking.
GLOBAL HACKING CAMPAIGNS
Western officials rank Russia and Iran as two of the most dangerous threats in cyberspace, alongside China and North Korea, with both governments accused of conducting hacking operations against countries around the world.
Intelligence officials said there was no evidence of collusion between Turla and its Iranian victim, a hacking group known as “APT34” which cybersecurity researchers at firms including FireEye FEYE.O say works for the Iranian government.
Rather, the Russian hackers infiltrated the Iranian group’s infrastructure in order to “masquerade as an adversary which victims would expect to target them,” said GCHQ’s Chichester.
Turla’s actions show the dangers of wrongly attributing cyberattacks, British officials said, but added that they were not aware of any public incidents that had been incorrectly blamed on Iran as a result of the Russian operation.
The United States and its Western allies have also used foreign cyberattacks to facilitate their own spying operations, a practice referred to as “fourth party collection,” according to documents released by former U.S. intelligence contractor Edward Snowden and reporting by German magazine Der Spiegel.
GCHQ declined to comment on Western operations.
By gaining access to the Iranian infrastructure, Turla was able to use APT34’s “command and control” systems to deploy its own malicious code, GCHQ and the NSA said in a public advisory.
The Russian group was also able to access the networks of existing APT34 victims and even access the code needed to build its own “Iranian” hacking tools.
Additional reporting by Vladimir Soldatkin in Moscow and Babak Dehghanpisheh in Geneva; Editing by Frances Kerry
The FBI has warned that “the threat” to U.S. election security “from nation-state actors remains a persistent concern,” that it is “working aggressively” to uncover and stop, and the U.S. Director of National Intelligence has appointed an election threats executive, explaining that election security is now “a top priority for the intelligence community—which must bring the strongest level of support to this critical issue.”
With this in mind, a new report from cybersecurity powerhouse Check Point makes for sobering reading. “It is unequivocally clear to us,” the firm warns, “that the Russians invested a significant amount of money and effort in the first half of this year to build large-scale espionage capabilities. Given the timing, the unique operational security design, and sheer volume of resource investment seen, Check Point believes we may see such an attack carried out near the 2020 U.S. Elections.”
None of which is new—it would be more surprising if there wasn’t an attack of some sort, to some level. What is new, though, is Check Point’s unveiling of the sheer scale of Russia’s cyberattack machine, the way it is organised, the staggering investment required. And the most chilling finding is that Russia has built its ecosystem to ensure resilience, with cost no object. It has formed a fire-walled structure designed to attack in waves. Check Point believes this has been a decade or more in the making and now makes concerted Russian attacks on the U.S. “almost impossible” to defend against.
The new research was conducted by Check Point in conjunction with Intezer—a specialist in Genetic Malware Analysis. It was led by Itay Cohen and Omri Ben Bassat, and has taken a deep dive to get “a broader perspective” of Russia’s threat ecosystem. “The fog behind these complicated operations made us realize that while we know a lot about single actors,” the team explains, “we are short of seeing a whole ecosystem.”
And the answer, Check Point concluded, was to analyse all the known data on threat actors, attacks and malware to mine for patterns and draw out all the connections. “This research is the first and the most comprehensive of its kind—thousands of samples were gathered, classified and analyzed in order to map connections between different cyber espionage organizations of a superpower country.”
The team expected to find deep seated linkages, connections between groups working into different Russia agencies—FSO, SVR, FSB, GRU. After all, one can reasonably expect all of the various threat groups sponsored by the Russian state to be on the same side, peddling broadly the same agenda.
But that isn’t what they found. And the results from the research actually carry far more terrifying implications for Russia’s capacity to attack the U.S. and its allies on a wide range of fronts than the team expected. It transpires that Russia’s secret weapon is an organisational structure which has taken years to build and makes detection and interception as difficult as possible.
“The results of the research was surprising,” Cohen explains as we talk through the research. “We expected to see some knowledge, some libraries of code shared between the different organizations inside the Russian ecosystem. But we did not. We found clusters of groups sharing code with each other, but no evidence of code sharing between different clusters.” And while such findings could be politics and inter-agency competition, the Check Point team have concluded that it’s more likely to have an operational security motive. “Sharing code is risky—if a security researcher finds one malware family, if it has code shared with different organizations, the security vendor can take down another organisation.”
The approach points to extraordinary levels of investment. “From my perspective,” Yaniv Balmas, Check Point’s head of cyber research tells me. “We were surprised and unhappy—we wanted to find new relationships and we couldn’t. This amount of effort and resources across six huge clusters means huge investment by Russia in offensive cyberspace. I have never seen evidence of that before.”
And the approach has been some time in the making. “It’s is an ongoing operation,” Cohen says, “it’s been there for at least a decade. This magnitude could only be done by China, Russia, the U.S. But I haven’t seen anything like it before.”
The research has been captured in “a very nice map,” as Balmas described it. This map has been built by Check Point and Israeli analytics company Intezer, a complex interactive tool that enables researchers to drill down into malware samples and attack incidents, viewing the relationships within clusters and the isolated firewalls operating at a higher level.
The research has been angled as an advisory ahead of the 2020 U.S. elections. Russia has the capability to mount waves of concerted attacks. It’s known and accepted within the U.S. security community that the elections will almost certainly come under some level of attack. But the findings actually point to something much more sinister. A cyber warfare platform that does carry implications for the election—but also for power grids, transportation networks, financial services.
“That’s the alarming part,” Check Point’s Ekram Ahmed tells me. “The absence of relationships. The sheer volume and resource requirements leads us to speculate that it’s leading up to something big. We’re researchers— if it’s alarming to us, it should definitely be alarming to the rest of the world.”
So what’s the issue? Simply put, it’s Russia’s ability to attack from different angles in a concerted fashion. Wave upon wave of attack, different methodologies with a common objective. And finding and pulling one thread doesn’t lead to any other cluster. No efficiencies have been sought between families of threat actors. “Offense always has an advantage over defense,” Balmas says, “but here it’s even worse. Given the resources Russia is putting in, it’s practically impossible to defend against.”
“It’s alarming,” Check Point explains in its report, “because the segregated architecture uniquely enables the Russians to separate responsibilities and large-scale attack campaigns, ultimately building multi-tiered offensive capabilities that are specifically required to handle a large-scale election hack. And we know that these capabilities cost billions of dollars to build-out.”
I spend lot of time talking to cybersecurity researchers—it’s a noisy space. And given current geopolitics, the Gulf, the trade war, the “splinternet,” there is plenty to write about. But I get the sense here that there’s genuine surprise and alarm at just what has been seen, the extent and strategic foresight that has gone into it, the implications.
And one of those implications is that new threats, new threat actors if following the same approach will be harder to detect. The Check Point team certainly think so. “This is the first time at such a scale we have mapped a whole ecosystem,” the team says, “the most comprehensive depiction yet of Russian cyber espionage.”
And attacks from Russia, whichever cluster might be responsible, tend to bear different hallmarks to the Chinese—or the Iranians or the North Koreans.
“Russian attacks tend to be very aggressive,” Balmas explains. “Usually in offensive cyber and intelligence, the idea is to do things that no-one knows you’re doing. But the Russians do the opposite. They’re very noisy. Encrypting or shutting down entire systems they attack. Formatting hard drives. They seem to like it—so an election attack would likely be very aggressive.”
With 2020 in mind, Ahmed explains, “given what we can see, the organization and sheer magnitude of investment, an offensive would be difficult to stop—very difficult.”
Cohen reiterates the staggering investment implications of what they’ve found. “This separation shows Russia is not afraid to invest enormous amount of money in this operation. There’s no effort to save money. Different organisations with different teams working on the same kind of malware but not sharing code. So expensive.”
All the research and the interactive map is available and open source, Cohen explains, “researchers can see the connections between families, better understanding of evolution of families and malware from 1996 to 2019.”
The perceived threat to the 2020 election is “speculation,” Check Point acknowledges. “But it’s based on how the Russians are organizing, the way they’re building the foundation of their cyber espionage ecosystem.”
So, stepping back from the detail what’s the learning here? There have been continual disclosures in recent months on state-sponsored threat actors and their tactics, techniques and procedures. The last Check Point research I reported on disclosed China’s trapping of NSA malware on “honeypot” machines. Taken in the round, all of this increased visibility on Russian and Chinese approaches, in particular, provides a better sense of the threats as the global cyber warfare landscape becomes more complex and integrated with the physical threats we also face.
On Monday [September 23], 27 nation-states signed a “Joint Statement on Advancing Responsible State Behavior in Cyberspace,” citing the use of cyberspace “to target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them.”
The statement was made with Russia and China in mind, and a good working example of how such attack campaigns are supported in practice can be viewed by exploring Check Point’s Russian cyber espionage map, which is now available online.
Cisco Systems, Inc. (NASDAQ:CSCO) is trading lower today, after the company announced that a group of hackers have compromised more than 500,000 routers and other devices in several countries. Cisco suspects this was the work of the Russian government, and its ultimate plan was to launch a major cyber attack on Ukraine. Shares of CSCO have shed 0.8% on the news, last seen at $43.28, falling back below the 80-day moving average and pacing for their lowest close since April 13. This trendline, a previous level of support, was brought back into play by the stock’s post-earnings bear gap last Thursday.
Longer term, the networks specialist has been strong on the charts, up 36.4% over the last year. This technical success has earned the stock almost exclusively bullish attention from analysts, with 18 of the 20 in coverage saying to buy the shares. Also, the average one-year price target from this group is $49.74, which prices in upside of almost 15%.
Options traders across the International Securities Exchange (ISE), Chicago Board Options Exchange (CBOE), and NASDAQ OMX PHLX (PHLX) have been bullish, too. CSCO sports a 10-day call/put volume ratio of 3.07 across these exchanges, a number that ranks in the top quartile of its annual range. So not only has call buying tripled put buying, but such a preference for calls over puts is pretty rare.
It’s a similar setup in today’s trading, despite the pullback, with call volume tripling put volume, and the July 44 call coming in as the most popular. But considering Cisco has a Schaeffer’s Volatility Index (SVI) of 18%, which ranks in the low 12th annual percentile, even put buyers can at least rest assured they’re getting relatively low volatility premiums at the moment.
Russian hackers have infected more than half a million routers across 54 countries with sophisticated malware that contains a killswitch to instantly cut internet access to users, security researchers have revealed.
The VPNFilter malware also allows attackers to monitor the web activity of anyone using the routers, including the their passwords, potentially opening up the possibility of further hacks.
“Both the scale and capability of this operation are concerning,” William Largent, a researcher at the cybersecurity firm Talos, said in a blogpost describing the vulnerability.
“The destructive capability particularly concerns us. This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware.”
The malware has been attributed to a group of Russian hackers, who are variously known as Sofacy Group, Fancy Bear and Apt28. The group has been in operation since the mid-2000s and has previously been blamed for attacks ranging from the Ukrainian military to the 2017 French elections.
Security researchers tell The Independent that the discovery of the malware highlights a broader issue of how vulnerable internet-connected infrastructure is to cyber attacks.
“No longer can we afford to keep our critical infrastructure connected to, and therefore directly accessible to, the internet,” said Eric Trexler, vice president of global governments and critical infrastructure at cybersecurity firm Forcepoint.
“VPNFilter proves that time tested military techniques such as network segregation not only makes sense, but is required if we expect industrial services to remain resilient in the face of sophisticated and persistent attacks.”
Routers found to be vulnerable to the VPNFilter malware include Linksys, MikroTik, Netgear and TP-Link, all of which are often used in homes or small offices. The researchers say they have not yet completed their research but they are making it public now to draw attention to it.
“Defending against this threat is extremely difficult due to the nature of the affected devices,” Mr Largent said.
“The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.”
The FBI responded to the revelations by granting court permission to seize a web domain believed to be in control of the Russian hackers.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement on Wednesday.
FBI Special Agent Bob Johnson added: “Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updates and to change default passwords.