Russian State-Sponsored Cyber Attack On Network Infrastructure Devices

Overview and Impact of the Attack

On April 19th, 2018 it came to the attention of the NCCIC, and the FBI of malicious activities carried out by a group of Russians. The attack is targeting the techniques, tactics, procedures, and network indicators. By so doing the individuals are able to obtain sensitive information and system files of devices that are interconnected. NCCIC has put in place mechanisms that organizations can use in order to detect and prevent the attacks from happening to an organization. These mechanisms include the system and network administrators inspecting instances of traffic flowing from unknown addresses and the modification and destruction of system files and logs [1]. This alert focuses on devices such as routers, intrusion detection systems, and switches. The Russian attackers are focusing on both government and private organizations. By the use of the compromised devices, the attackers are able to obtain intellectual property, maintain consistent access to the networks of the victims, and create a basis to perform future attacks.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

The key purpose of the technical alert is to provide extensive information regarding the activities conducted by the Russian attackers and provide the information needed for the identification of malicious attacks on network devices. Also, it aims at providing information necessary for reducing susceptibility to this activities.

The attackers utilize various weaknesses in the network administration activities. The weak points are used to identify potential devices for an attack, extract system settings and configurations, collect login information and credentials, and obtain administrator privileges on the devices. They can also redirect the victim’s network traffic through routers controlled by the attackers. In taking advantage of the points of weakness the attackers do not need to install malware on the target devices, they use the existing system setting on these devices to conduct the attacks [2]. Authentication of services, hardening of devices before installation, and keeping network devices up to date with updates from manufacturers are essential tips in ensuring that the attackers have no access points to an organization’s systems [3]. Network devices are considered easy targets because after installation little is done to maintain them. Few network devices contain antivirus programs and other security tools that could protect them from the attackers. The default settings of many devices are usually not changed, and hence the attackers have a clue of where to start. This is due to the fact that the most devices from the same manufacturer have the same default settings.

Actions to Detect and Prevent the Attack

The impact of the attackers is divided into stages which include the reconnaissance which focuses on the identification of internet services and ports that depict the intrusion vulnerabilities. The weaponization stage and the delivery stage which focuses on making the target device to send system files and configurations to the attackers [4]. The exploitation stage focuses on the imposter aspect of the attackers as legitimate users to exploit the identified network devices. Here the attackers have obtained the necessary login credentials and can authorize and authenticate device functions. The installation stage allows the attackers to download and overwrite files in the network devices especially those by Cisco. The final stage is the impact and control stage where the attackers practically log in to a network device and establish connections to previously uploaded operating system images [5] that contain a backdoor. As a result, the attackers are able to execute commands with administrator privileges.

Based on the Technical attack which is focusing on the attack on infrastructure relating to network devices. This is to bring to your attention the specific system areas that are affected. These systems include the enabled devices for generic routing encapsulation, enabled devices for Cisco smart install, and the network devices enable to use the simple network management protocol. As a result of this developments, system administrators are encouraged to inspect network traffic flowing to and from addresses that are unknown. This is with key consideration on protocol 47. You should also be on the lookout for the creation of the GRE tunnel, log file destruction, and modification [6].  The individuals perpetrating this attacks take into consideration protocols with vulnerabilities which include weak protocols and service ports. Through the exploitation of this weaknesses, they are able to obtain sensitive device information, identify and access exposed devices, copy access credential, alter device configuration, operating systems, and firmware. Therefore in order to stay safe from this attacks network traffic should be monitored with highest essence possible, network logs should be reviewed often for SMI and TFTP devices with consideration on port 4786 of all devices on a network, evaluate and analyze device logs for evidence of UDP SNMP directed traffic on port 161 and 162 on hosts to network devices [7]. Determination of the presence and use of SMI and SIET is essential

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Taking into consideration information regarding the attacks directed to network devices. The organization has deemed it necessary to inform you that there is no course for alarm as it is doing everything possible to ensure that all security measures are in place. Your assets and information are safe, and there is no course for alarm. The target of the attackers is to take advantage of areas that they consider to be weak to obtain information relating to user login credentials, modification of operating system settings; they also extract system settings. They also limit traffic that flows through the routers [8]. The Russian attackers take advantage of vulnerabilities relating to unencrypted data and services that have not been authenticated, devices that are not up to date on security updates from the developers and manufacturers, and devices that have not been hardened sufficiently before they are installed.

Considerations for Business Managers

The organization has a number of actions that it can take to ensure that the Russian attackers do not find a leeway to attack it. This steps may include the following. The flow of unencrypted data into and out of the organization will be limited [9]. Activities in relation to management should be done through private virtual networks where both sides are encrypted that is the sending and the receiving end. Access to the management interface will be limited, and no network device will be allowed to interact with it. This can be achieved by blocking access sourced from the internet to the management interface and restricting it to the trusted internal host [10]. Password policies are an essential aspect of maintaining high levels of security. Therefore, default password policies should be changed, and a strong password policy should come into play. Same passwords should not be used to access different devices. The passwords should only be applicable to a particular device alone. It is strongly recommended to employ the use of two-factor authentication [11].

Handling this task was quite challenging. In handling this task, various issues presented a challenge which I had to overcome to bring into perspective the message to fit the intended audience. In completing this assignment, I had to take into consideration the perspective of each and every audience. I had to understand how each and every individual viewed the technical alert. For instance, when preparing the brief for the business manager, I had to take into consideration aspects of management. Managers are concerned with the what? And how?. Therefore, I had to extract from the source description of what the threat was all about. I had to bring into perspective how the attack came into perspective. And since management are involved with systematic and strategic issues, I had to bring in a systematic perspective on the issue.

When preparing the email to IT colleagues, I had to take into consideration the information that IT professionals are concerned with. This information involved the methods used to access network devices and the proposed solutions and what the network administrators and all other IT colleagues needed to do to ensure that the security policies are of the highest degree possible to ensure that the attackers do not exploit vulnerabilities in network devices. Here I had to bring into perspective a technical and implementation perspective.

Preparing web content for the users was the most challenging aspect of them all. Users are always very pessimistic when issues relating to their assets are brought into perspective. Therefore I had to try to extract content that relates to the user from the source. The user is greatly concerned with how his information and assets can be protected from the attackers and therefore I had to act as an agent for creating confidence in the minds and perspectives of the users. I had to transform a pessimistic perspective to an optimistic perspective. Consolidating this two perspectives was quite a challenge.


[1] EC-Council, Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures (CEH), Book 4, Cengage Learning, 2016.

[2] A. Behl, Securing Cisco IP Telephony Networks: Securing Cisco IP Teleph Network, Cisco Press, 2012.

[3] Cisco Networking Academy, Introduction to Networks Companion Guide, Cisco Press, 2013.

[4] N. Meghanathan, S. Boumerdassi, N. Chaki and D. Nagamalai, Recent Trends in Networks and Communications: International Conferences, NeCoM 2010, WiMoN 2010, WeST 2010,Chennai, India, July 23-25, 2010. Proceedings, Springer Science & Business Media, 2010.

[5] E. Gilman and D. Barth, Zero Trust Networks: Building Secure Systems in Untrusted Networks, “O’Reilly Media, Inc.”, 2017.

[6] E. Seagren, Secure Your Network for Free, Elsevier, 2011.

[7] I. Dubrawsky, How to Cheat at Securing Your Network, Syngress, 2011.

[8] M. Gregg, The Network Security Test Lab: A Step-by-Step Guide, John Wiley & Sons, 2015.

[9] C. Bowman, A. Gesher, J. Grant, D. Slate and E. Lerner, The Architecture of Privacy: On Engineering Technologies that Can Deliver Trustworthy Safeguards, “O’Reilly Media, Inc.”, 2015.

[10] J. Vacca, Computer and Information Security Handbook, Newnes, 2012.

[11] Advances in Information Technology Research and Application: 2013 Edition: ScholarlyBrief, ScholarlyEditions, 2013.