The Washington PostDemocracy Dies in Darkness

U.S., British governments warn businesses worldwide of Russian campaign to hack routers

April 16, 2018 at 7:23 p.m. EDT
American and British officials say the Russian government is behind a global campaign targeting computer routers and firewalls. (Dado Ruvic/Reuters)

The U.S. and British governments on Monday accused Russia of conducting a massive campaign to compromise computer routers and firewalls around the world — from home offices to Internet providers — for espionage and possibly sabotage purposes.

The unusual public warning from the White House, U.S. agencies and Britain’s National Cyber Security Center follows a years-long effort to monitor the threat. The targets number in the millions, officials say, and include “primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors.”

It was the two countries’ first such joint alert.

“We have high confidence that Russia has carried out a coordinated campaign to compromise . . . routers, residential and business — the things you and I have in our home,” said Rob Joyce, the White House cybersecurity coordinator.

Here's what you need to know about what cyberweapons are and when they have been used in the past. (Video: Dani Player, Sarah Parnass/The Washington Post)

Trump administration hits Russian spies, trolls with sanctions over U.S. election interference, cyberattacks

“We condemn the actions and hold the Kremlin responsible for the malicious activities,” said Jeanette Manfra, the chief cybersecurity official for the Department of Homeland Security.

The warning is unrelated to the administration’s recent military strikes on suspected chemical weapons facilities in Syria, action Russia condemned. Rather, it is part of a broader ongoing effort by the U.S. government to call out bad behavior in cyberspace and impose costs as a deterrent.

“When we see malicious cyber activity, whether it be from the Kremlin or other malicious actors, we’re going to push back,” Joyce said.

Monday’s announcement is the latest in a series of related moves by the Trump administration, which in recent months has publicly blamed Russia for launching the NotPetya worm that has been characterized as the costliest and most destructive cyberattack in history. It also recently announced that Russia had targeted the U.S. energy grid with computer malware, and it slapped fresh sanctions on Russian hackers for illicit cyber activity.

The U.S. government also has obtained indictments against Iranian hackers, and accused North Korea of being behind the WannaCry computer worm that affected more than 230,000 computers around the world.

The U.S. and British governments jointly tracked the latest campaign, which has targeted millions of machines globally, said Ciaran Martin, chief executive of Britain’s NCSC, the government’s central cybersecurity agency.

The aim seems to be to “seize control” of the machines that connect networks to the Internet, and in the case of Internet providers, to gain access to their customers, for espionage or other purposes, he said.

These network devices make “ideal targets,” said Manfra, Homeland Security’s assistant secretary for cybersecurity and communications. Most traffic within a company or between organizations traverses them. So a hacker can monitor, modify or disrupt it, she said. And they’re usually not secured at the same level as a network server.

“Once you own the router, you own the traffic that’s traversing the router,” she said.

The agencies, which include the FBI, do not know precisely how many routers, firewalls and switches have been compromised and to what extent. They are seeking the cooperation of home office and private-sector business owners in sharing information if they determine their networks have been compromised.

In its alert Monday, DHS described the hackers’ techniques, from scanning Internet address spaces to exploiting routers, switches and network intrusion-detection devices.

U.S. officials said this year that Russian military hackers compromised routers in South Korea in January and deployed new malware when the Olympics began in February. It was not clear Monday whether that compromise was part of the same campaign.