Russian hackers are exploiting commonly sold internet routers to harvest information for espionage purposes, the UK’s cybersecurity agency has said.
The hack could allow attackers to obtain users’ credentials, redirect them to fake sites, and potentially access other devices on their home network such as phones and PCs, said Alan Woodward, a professor at the University of Surrey.
The National Cyber Security Centre said on Tuesday the operations were “believed to be opportunistic in nature, with the actor targeting a wide pool of victims and then likely filtering down for users of potential intelligence value at each stage of the exploitation chain”.
It follows a common pattern of cyber-actors targeting edge devices – hardware such as internet routers or internet-connected security cameras – that act as a bridge between users and the cloud.
Woodward said: “It’s not the first time that warnings have come out about routers. The main thing to say is that these so-called edge devices are quite often forgotten about, and they can become a weak point.”
If attackers successfully attacked a router, he said, they could “take you to fake sites. You might think you’re going to your bank, but they take you somewhere else.
“They can establish themselves on your network, move around your network, and see if the devices on your network – your PC, your phone – have any vulnerabilities.”
The group behind the attacks was probably APT28 or Fancy Bear, wrote the NCSC, which was “almost certainly” linked to Russian intelligence services.
APT28 was also behind cyber-attacks on the German parliament in 2015, in which large amounts of data were stolen, including confidential emails and the schedules of German MPs.
“We don’t tend to know a lot about them. The suspicion is they’re working on behalf of the Russian state, but no one knows for definite, because often nation-state attacks are done through criminal groups,” said Woodward.
The US has recently banned the sale of all consumer-grade internet routers made outside of the country, with the Federal Communications Commission saying they “pose unacceptable risks to the national security of the United States”.
“Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft,” it said, saying that foreign-made routers had been involved in several recent cyberattacks targeting US infrastructure.
As almost all internet routers are made in China or Taiwan, this stands to severely affect a number of US hardware makers. An exception to this is Elon Musk’s Starlink, which manufactures a large part of its devices in Texas.
Privacy experts have said this outright ban will not fully address vulnerabilities in existing internet routers, and that a more significant problem may be that internet routers currently in use are at the end of their lives and no longer receiving security updates.
Woodward said the NCSC’s warning was an indication that small businesses and individuals should keep their routers updated. “If you’re a small business, you should look out for unusual activities on your network. A lot of routers are just forgotten about.”
One of the largest cyberattacks in history, in which hackers stole $80m from Bangladesh’s central bank in 2016, happened because the bank used cheap, secondhand internet routers that were accessible from the broader internet.
Hackers were able to access the router, then the core network of the central bank, from there transferring its cash to accounts in the Philippines. It is believed that a state-linked North Korean hacking group was behind the attack.
Woodward said: “It’s the classic way that people probe, and it’s almost bound to happen again.”
