Russian Government Hackers Broke Into Thousands of Home Routers To Steal Passwords

An anonymous reader quotes a report from TechCrunch: A group of Russian government hackers have hijacked thousands of home and small business routers around the world as part of an ongoing campaign aimed at redirecting victim's internet traffic to steal their passwords and access tokens, security researchers and government authorities warned on Tuesday. [...] The hacking group targeted unpatched routers made by MikroTik and TP-Link using previously disclosed vulnerabilities according to the U.K. government's cybersecurity unit NCSC and Lumen's research arm Black Lotus Labs, which released new details of the campaign Tuesday.

According to the researchers, the hackers were able to spy on large numbers of people over the course of several years by compromising their routers, many of which run outdated software, leaving them vulnerable to remote attacks without their owners' knowledge. The NCSC said that these operations are "likely opportunistic in nature, with the actor casting a wide net to reach many potential victims, before narrowing in on targets of intelligence interest as the attack develops." Per the researchers and government advisories, the Russian hackers hacked routers to modify the device's settings so that the victim's internet requests are surreptitiously passed to infrastructure run by the hackers. This allows the hackers to redirect victims to spoof websites under their control, then steal passwords and tokens that let the hackers log in to that victim's online accounts without needing their two-factor authentication codes.

Black Lotus Labs said that Fancy Bear compromised at least 18,000 victims in around 120 countries, including government departments, law enforcement agencies, and email providers across North Africa, Central America, and Southeast Asia. Microsoft, which also released details of the campaign on Tuesday, said in a blog post that its researchers identified over 200 organizations and 5,000 consumer devices affected by these hacking operations, including at least three government organizations in Africa. The Justice Department said Tuesday it neutralized compromised routers in the U.S. under court authorization. As the DOJ put it, the FBI "developed a series of commands to send to compromised routers" to collect evidence, reset settings, and prevent hackers from breaking back in.

How did they get initial access to the routers?

[haruchai]

ISPs should be blocking any inbound traffic that's not part of an established session

Re:How did they get initial access to the routers?

[darkain]

that would require session tracking information on literally every single customer. and is also a direct violation of the basic ideals of "net neutrality". these are why it is handled at the edge rather than by the trunk routers.

oh, and also, the internet as a whole is a-symmetrical in routing. the only way this is practical is on the edge, or MAYBE one hop up from an edge router (assuming there is no dynamic load balancing going on that you cannot see)

Re:

[TheMiddleRoad]

With all the massive AI servers being built, monitoring is now possible.

Re:

[darkain]

Passive monitoring? Sure.
Active monitoring/blocking? Not in the least.
Latency is far too high.

Re:How did they get initial access to the routers?

[silentbozo]

The linked articles are remarkably light on details of how the routers were compromised. Were they breached from the internet side due to backdoors or poorly implemented services? Was it some sort of configuration default for remote administration that was just bulk abused? Or were the routers compromised from inside the network by malware running locally on machines, or on malware compromised pages? Was it due to remote code execution or was it due to default admin credentials or easily guessable passwords?

Kind of hard to defend against a threat if they won't tell you how the deed was done.

Re:

[Himmy32]

From Lumen's blog post [lumen.com]:

exploit CVEs associated with vulnerabilities in the web-interface on TP-Link and MikroTik routers.

Doing a simple search for TP-link [cvedetails.com] and Mikrotik [cvedetails.com] CVEs leave a few that aren't just denial of service attacks but fit that description of against a web interface.

Re:

[silentbozo]

Yeah, I read through those... and found that while it described a vulnerability, it was still light on actual exploit details.

Did they compromise the inward facing web interface, or an outward web interface? Did they do it through social engineering, or through malware running on devices on the internal network? Was the malware persistent or was it a drive-by instance running a portscanner in a browser instance?

Basically, the question I have is - would flashing say, openWRT on these devices been enough to

Re:

[Himmy32]

it was still light on actual exploit details.

That's almost assuredly because the how they got into the routers wasn't something new and unexplained.

Did they compromise the inward facing web interface, or an outward web interface?

Consumer routers generally don't run the web interface on the WAN port by default. Mikrotik has had a couple big older CVEs with "Winbox" and gives the power to the user to shoot themselves in the foot with exposing interfaces. Search for FOISTed or the Meris botnet for tech details on those exploits.

Did they do it through social engineering

CVEs against the web interface with a large number of devices rules out social engineering as the primary m

Re:

[itsme1234]

ISP = Internet service provider. Blocking packets is precisely THE OPPOSITE of providing Internet.

Re:

[Sique]

Define "established session", and how it works with SIP or H.323, and what happens if signalling runs within an encrypted channel!

Re:

[haruchai]

what's the issue?

Re:

[Mirnotoriety]

> ISPs should be blocking any inbound traffic that's not part of an established session

I have my own image running on my router.

Re:

[throwaway18]

According to a Brian Krebs article, initial access to devices such as routers and TV boxes that are vulnerable on the LAN side of a NATed home internet connection is sometimes via 'free' smartphone games and apps that contain residential proxy software.

Some 'free' smartphone games and apps make money by allowing nefarious people to relay traffic through your home internet connection for things like fake social media accounts and credit card fraud but sometimes they also relay traffic to LAN ip addresses, ty

Re:

[snowshovelboy]

Why on earth would an ISP block any traffic when the traffic could put you over your data cap and they could get paid.

Re:

[StormReaver]

Many ISPs will stupidly block port outgoing 25 and all incoming ports by default, so I have no doubt that they would stupidly block other traffic as well. ISPs are run by technologically ignorant people, so it is a mistake to believe they act logically.

Re:

[Zero__Kelvin]

I can't wait to hear your answer to this: How do you propose to establish sessions if all inbound traffic is blocked?

Re:

[drinkypoo]

It's not hard to allow only traffic related to an outgoing connection. Are you asking because you don't know how to do it? Not that I'm supporting the GP's assertion here, that's not what I want from my ISP, but it's not even slightly difficult to do what they said you should do without interfering with establishing and maintaining outgoing sessions.

Re: How did they get initial access to the routers

[Zero__Kelvin]

All outgoing session negotiations are also incoming traffic. Season negotiation is bidirectional. How do you expect a server to receive the outgoing packets for the client as incoming packets to the server during initial session negotiation?

Should have asked china

[overblod]

They would have traded millions of passwords for an oil tanker

Fancy Bear?

[Powercntrl]

Has anyone informed this hacker group that, seeing as how people usually don't keep bears as pets [wikipedia.org] (well, it is Russia we're talking about here, so I could be wrong on that), their namesake is a bear [wikipedia.org] who is totally fabulous?

That's like calling your far right-wing organization "Proud Boys".

Re:Fancy Bear?

[Himmy32]

Fancy Bear is the Crowdstrike's "Adjective-Animal" naming scheme where Bear is Russian and China is Panda. Microsoft goes with Noun Noun where Russia is Blizzard, so this group is named Forest Blizzard in that scheme. FireEye uses a simple numbering scheme for there "Advance Persistent Threats" so known as APT28 there. The earliest external naming of the group was after a 2014 attack, Sofacy. Here's a whole list of associated names for the group [mitre.org]

Likely the the group is Russia's GRU Unit 26165, but what that group calls itself internally isn't known.

Re:

[haruchai]

"like calling your far right-wing organization "Proud Boys"

given that the group's founder pegged himself live to prove he isn't homophobic, what's the problem with the name?

OpenWRT

[hcs_$reboot]

1. Choose a router that supports OpenWRT
2. Install OpenWRT on it
Safer, faster and more customizable than the factory install.

Re:OpenWRT

[anoncoward69]

Unfortunately not for a vast majority of the population. Just getting them to successfully flash an alternative firmware without bricking the router would be challenge #1, Next challenge is the needing of a basic understanding of how networking works to successfully configure something like OpenWRT.

Re:

[hcs_$reboot]

The OpenWRT folks improved a lot their web interface and how to find the right - easy to install - router.
You can also choose a GL.iNET router which runs OpenWRT natively, it's a proprietary distrib, but you can easily flash a full OpenWRT version thanks to the interface.

Re:

[Ubi_NL]

As Carlin said: imagine the stupidity of the average person, then realize half of the population is more stupid than that

Re:

[quonset]

You can also choose a GL.iNET router which runs OpenWRT natively, it's a proprietary distrib, but you can easily flash a full OpenWRT version thanks to the interface.
Flag as Inappropriate

Read that back, slowly. Then read it again and consider how many people you see on the street would have any idea what those letters mean.

Re:

[anoncoward69]

Probably more than half of the population has no idea what a router even is. They probably just use their ISP provided router as is. I see so many of the local cable company default WiFi names on routers all over the neighborhood. People don't even make the effort to go in and change the WiFi name.

Re:

[aRTeeNLCH]

I got stuck at "Flag as inappropriate". Why recommend that, whatever it truly means? The rest was sort of okay I guess...

Re:

[drinkypoo]

The OpenWRT folks improved a lot their web interface and how to find the right - easy to install - router.

It's still too complicated for the average person.

You can also choose a GL.iNET router which runs OpenWRT natively

That doesn't address how difficult it is to configure. Again, for a normal person who doesn't know what any of those settings mean. If you want normal people to be able to do this you're going to need to develop a config wizard for luci.

Re:

[gweihir]

Forget it. The tech-skill of the average person is limited to "plug in cables as shown on the nice picture".

Re:

[hcs_$reboot]

Well, at least the Slashdot readers might find this helpful.

Re:

[gweihir]

No argument.

Re:

[gweihir]

Indeed. But I guess with no routers for end-users being commercially available in the US in the near future (or at least that seems to be the intent), people will have to learn.

Re:

[drinkypoo]

I watched Jayz video on this subject and apparently "manufacturers" (sellers) of foreign-made routers will be able to request an exception... from the Department of War and the DHS. So this is really just a solicitation for more bribes/the opportunity to pick the winners and losers like Republicans always say the government shouldn't.

Re:

[anoncoward69]

Don't worry though, in about 6 months the federal govt is going to be shipping out everyone's Trump approved and mandated Freedom Router with govt provided FreedomOS with all the requisite NSA back doors pre-installed. Freedom routers will MITM all encrypted sessions and report the contents of all traffic to the NSA mother-ship to ensure citizen compliance. TCP/IP protocol will be updated with a new SSN header and every packet will be stamped with the citizen's SSN for tracking purposes. Failure to use Trum

Re:

[anoncoward69]

Also in one month's time Trump and Elon will be buddy buddy again cause Trump will need to use Starlink's US based assembly lines to build the Freedom Routers. They'll all be just as configurable as a Starlink router as well. Meaning all you'll be allowed to configure is your WiFi name and password.

Re:

[hcs_$reboot]

Don't worry though, in about 6 months

You are very optimistic regarding his or the government life expectancy, whichever comes first.

Re:

[ArchieBunker]

The router will also be made in China.

Re:

[thegarbz]

Just safer, not necessarily faster. OpenWRT is a great package, but the reality is that cutting edge routers do not support it. You want a top of the line 802.11be WiFi network expanded through your house with 802.11s mesh points, then good luck finding something that runs OpenWRT.

Re:

[hcs_$reboot]

Just safer, not necessarily faster

OpenWRT addresses directly the chip and, yes, it may lag behind for some recent chips, but usually they catch up over time.
Moreover, I trust more the OpenWRT team when it comes to writing code. Router companies may advertise x or y, but the reality is often different.
In addition to that, OpenWRT allows you to bypass the limits set by the manufacturer (e.g. actual power of the chip in dB / W, security options, ...).
And, maybe not all but some routers have some "convenient" features that share some of your

Re: OpenWRT

[fluffernutter]

Do you know of a mesh router that supports openwrt?

Re:

[SumDog]

I just run a Linux distro and setup iptables rules directly. I've been doing that since the very early 2000s.

https://battlepenguin.com/tech... [battlepenguin.com]

I did the SBC router thing for a while too:

https://battlepenguin.com/tech... [battlepenguin.com]

and now I use Void Linux which I installed on this industrial appliance

https://battlepenguin.com/tech... [battlepenguin.com]

The vast majority of people out there aren't going to know how to do that, or even care about learning it. I remember the first time I set up masquerading (NAT) and just how

Re:

[TwistedGreen]

I was thinking the same. I did this in the early 2000s with an old 486, except it was dialing out with a 56k modem. It was running a Junkbuster proxy to filter out ads. Amazing that I was able to do that with 33MHz.

Re:

[xpyr]

OpenWRT doesn't have a web interface. FreshTomato [freshtomato.org] would be a better choice.

Re:

[hcs_$reboot]

https://openwrt.org/docs/guide... [openwrt.org]

Joke's On You, Russia

[martin-boundary]

Joke's on you, Russia! Every single router had the credentials admin/admin.

Re:

[coofercat]

Joke's on you, America - it can't possibly have been Russia, big bad Don said so: https://www.theguardian.com/us... [theguardian.com]

You couldn't make this stuff up :-(

hostility

[fluffernutter]

They aren't attacking me, they are attacking a nation very clearly hostile to me. I'm having trouble feeling concern. Russia has never directly threatened to take over my country.

Re:

[Sique]

But just because they could not. Russia, being a imperialistic country since the Grand Prince of Moscow named himself Czar of all Russians, would immediately if given the chance.

Re:

[fluffernutter]

I'll take that as a deflection. Doesnt change anything.

Re:

[fluffernutter]

It's so sad that so many countries have been threatened you need to ask that.

Re:

[tigersha]

The whole Cold War was about the Soviets/Russians being able to just completely change your precious country into radioactive glass with people living in the Stone Age. Ok, glass age.

“Take over” is. It the point. “Eliminate rivals” is the point. And I can ensure you the Russians have threatened, have tried and and will again. The US, believe it or not, is not a hermetically sealed block. It depends on external inputs and very definitely depends on other countries to buy your exports.

Re:

[fluffernutter]

And now the same can be said for America. What's your point?

Do as I say, not as I do.

[SouthSeb]

the FBI "developed a series of commands to send to compromised routers" to collect evidence, reset settings, and prevent hackers from breaking back in.

Wait! What?!?

Re:

[gweihir]

If this claim is true, that is a criminal act in most of the world. You are not allowed to patch IT systems belonging to other people without explicite permission.

Re:

[clovis]

If this claim is true, that is a criminal act in most of the world. You are not allowed to patch IT systems belonging to other people without explicite permission.

The DOJ says it only patched affected devices within the USA. Once modified, the device has become a part of a criminal enterprise, so there's probably a law somewhere in the US allowing the court's authorization.
https://www.justice.gov/opa/pr... [justice.gov]

Re:

[gweihir]

The law does not count for much in the US these days, hence I have no problems believing that. Apparently, they have noticed something if they stayed away from devices outside of the US though.

Re:

[fluffernutter]

Americans have no protection over the government modifying their routers? Lol.. that's precious.

Why would "government hackers" waste time on this?

[gweihir]

Seriously. This is, at best, just one of the usual criminal enterprises.

Re:

[Himmy32]

You are correct that it's unlikely that those devices were the final goal. The security game is all about moving sideways from easy targets to important ones.

Maybe they would be able to use that equipment to proxy traffic to dodge geoblocking, use it to denial of service a piece of infrastructure for a bigger target, or snag some information from an employee of a juicy target. Or maybe they wouldn't be used again, but maintaining low effort footholds is worth the cost for a starting point for a possible fut

That's what Russia does

[RUs1729]

Delenda est Russia.