US Government Warns That Russia State Hackers Are Coming After Your Router (arstechnica.com) 34
CISA and allied governments are warning users to secure their routers as Russian state-backed hackers continue compromising the devices and turning them into proxy nodes to disguise attacks against critical infrastructure. The advisory urges users to disable outdated SNMP versions, use strong passwords, update firmware, and turn off unnecessary router services to reduce the risk of being swept into these botnets. Ars Technica reports: "Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks," the Cybersecurity and Infrastructure Security Agency said Monday. The hacking groups are tracked under various names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. The advisory was co-issued by governments from around the world, including Australia, Denmark, New Zealand, and the UK.
The primary means of compromise the agency warned about was hackers scanning IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default authentication credentials. These scans are run by the very sorts of router botnets the actors are trying to enroll the targeted device in. By sending malicious traffic from spoofed addresses, the hackers can use the SNMP agent on poorly configured routers to run malware. SNMP allows users to collect and organize information about managed networking devices or to modify that information to change device behavior.
With control of a device, the hackers then use it as an exit node when probing or attacking targets in the communications, defense, energy, financial services, and government sectors. By funneling the malicious traffic through a benign-appearing device on a trustworthy IP address, the attackers are able to lower the chances of getting blocked by firewalls and other security defenses. Monday's advisory made no mention of identical operations carried out in recent years by China. So-called residential proxies are also a go-to tool used by financially motivated criminal hackers to obscure their true IP address. In many cases, these sorts of proxies are made up of millions of streaming devices that are sold with preloaded malware.
The primary means of compromise the agency warned about was hackers scanning IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default authentication credentials. These scans are run by the very sorts of router botnets the actors are trying to enroll the targeted device in. By sending malicious traffic from spoofed addresses, the hackers can use the SNMP agent on poorly configured routers to run malware. SNMP allows users to collect and organize information about managed networking devices or to modify that information to change device behavior.
With control of a device, the hackers then use it as an exit node when probing or attacking targets in the communications, defense, energy, financial services, and government sectors. By funneling the malicious traffic through a benign-appearing device on a trustworthy IP address, the attackers are able to lower the chances of getting blocked by firewalls and other security defenses. Monday's advisory made no mention of identical operations carried out in recent years by China. So-called residential proxies are also a go-to tool used by financially motivated criminal hackers to obscure their true IP address. In many cases, these sorts of proxies are made up of millions of streaming devices that are sold with preloaded malware.
standard practice (Score:3, Informative)
Aren't vulnerable routers the backbone of most botnets?
Re: (Score:2)
This is more about slipping through your firewall and getting unauthenticated snmp info, to learn more and eventually get to data. This is nothing new.
Re: (Score:2)
My bad on this one, its similar to another that is not recent.
distract - distract - distract (Score:3, Informative)
Re: distract - distract - distract (Score:4, Funny)
Re: distract - distract - distract (Score:5, Interesting)
Re: (Score:3, Informative)
I'm sure it was discussed during their 90 minute July 4th phone call. https://www.cnn.com/2026/07/05... [cnn.com]
Shouldn't this be expected? (Score:3)
Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide
My only question is why the state isn't proactively identify and deactivating such devices. Seriously, if your shitty device is a threat then I see no reason that it cannot also be forcibly taken offline. People will not give a damn about security no matter how much you implore them (they haven't for decades), so it's time for the stick.
Re:Shouldn't this be expected? (Score:4, Informative)
Don't the ISPs own the wires? If so, then I would expect the state to first tell the ISP to clean up their properties. Have them show due diligence in getting their customers to update or replace (with what, from who?) their router before eventually kicking it off the network.
My last cable ISP supplied a router/modem combo that they could configure to be secure by default. For the most part, it was. It didn't have a lot of features and I didn't care for it's overall design but it did work.
My current ISP is starlink and they provide the receiver and router as well.
I imagine the vast majority of router's that are Internet/ISP facing are issued by ISPs themselves as your average user doesn't go buy their own. Even us nerds, we buy our own but depending on our ISP, it's still behind their router/modem device in the path from client to Internet.
So if ISPs are issuing the majority of devices, it would make the most sense for the state to be working with these ISP on updating the default settings and pushing out updates or otherwise helping customers update their gear. Let's hop to it people!
Re: (Score:2)
Even us nerds, we buy our own but depending on our ISP, it's still behind their router/modem device in the path from client to Internet.
In which case, the most an ISP can do if they detect an unsecured device on the customer side of their modem is to cut off service.
Lots of Windows systems will be going dark soon. Too bad you didn't upgrade when the latest OS release came down the pipe. Your new system will be available as soon as we find some DRAM.
Re: Shouldn't this be expected? (Score:2)
Re: (Score:1)
The psy-ops guys would have a field day with that. "OMG, the US government is killing your internet". It also opens up a can of worms. Next stop after that is NAC, where to be allowed onto an ISP, your router has to pass measured checks... which means no F/OSS routers, but closed source, jailbreak-proof ones... and NAC can easily turn from "checking for latest OS" to active filtering and logging with MITM SSL interception.
fix your router, we'll trust you (Score:2)
https://www.war.gov/News/Relea... [war.gov]
Freedom to self-certify.
Re:fix your router, we'll trust you (Score:5, Funny)
Show of hands: How many people sat in on Hegseth's phone call regarding this topic?
Re: (Score:2)
Show of hands: How many people sat in on Hegseth's phone call regarding this topic?
Which call? The ones with our allies or the one with Russia?
Upgrade (Score:2)
I am glad I finally retired my older Asus router last year, even though it was running a reflash, and installed a Unifi gateway at home. They seem to be very good with updates. I even turned on the Threat Detection and Blocking (Intrusion Prevention). Then also GeoBlocking (yes, I know they can work around that, but why make it easy?) The nice thing is this little box does everything I had before and TONS more, including running cameras, with no cloud-dependencies and no recurring fees.
Alas, my contribu
Re:Upgrade (Score:4, Informative)
I am glad I finally retired my older Asus router last year, even though it was running a reflash, and installed a Unifi gateway at home. They seem to be very good with updates. I even turned on the Threat Detection and Blocking (Intrusion Prevention). Then also GeoBlocking (yes, I know they can work around that, but why make it easy?) The nice thing is this little box does everything I had before and TONS more, including running cameras, with no cloud-dependencies and no recurring fees.
Unifi has had several CVSS 10.0 vulnerabilities lately. Quite a lot of those devices are unfortunately still ending up part of botnets.
https://www.bleepingcomputer.c... [bleepingcomputer.com]
And a new one last week...
https://thehackernews.com/2026... [thehackernews.com]
Nice hardware, but the cloud services bring their own risks.
Re: (Score:2)
>"Unifi has had several CVSS 10.0 vulnerabilities lately. Quite a lot of those devices are unfortunately still ending up part of botnets. "
All platforms have vulnerabilities, unfortunately. But from what I can tell, all of those are from the inside. Not from the outside. Every one of them is "with access to the network." So these are not things that are going to give outside attackers the direct ability to break into a Unifi controller on the outside of its firewall.
really and truly don't care (Score:1)
There are two countries I am NOT worried about and that is Russia and China, because whatever they find out about me they won't give to the USA. The USA on the other hand will abuse all the information they can get to deprive me of my liberties.
Anyway sounds like "the lady doth protest too much" to me. As a good loyal subject I'll be sure to replace my router with one with NSA-approved(R) firmware, right away, sir.
ISP Routers (Score:2)
So, just how are ISP customers, which are provided routers by their ISP, supposed to do this? Shouldn't it be mandated that ISPs are responsible for updating and securing routers? I realize that some ISP customers are tech saavy and wish to configure the routers themselves. For those users a simple opt-out will do. For the remaining 99.999% of users the ISP should be handling this, right?
Learning from the best; that is us (Score:2)
We were doing this decades ago :
https://www.businessinsider.co... [businessinsider.com]
This is why I just let my ISP deal with the router (Score:1)
I don't have time to keep track of security updates for my router, apply them, and check now and then to make sure it hasn't been compromised. Comcast has the infrastructure and people to do it all themselves. I don't have to think about it at all.
Of course it's probably the only thing Comcast can do right, but I think most people on Slashdot have heard that story a million times so I won't go there!
Access Denied (Score:2)
That's what I get when trying to access www.cisa.gov from Firefox (currently supported ESR version). Of course it works fine in web browsers from deep-pocketed cowtowing corporate companies. Makes you wonder. Hmmm.
SNMP? (Score:2)
Any router running SNMP or a web interface configured to listen on the external (WAN) port should be considered defective and replaced (or reflashed to sane non-braindead firmware). Home networks don't need SNMP at all, and business networks not using enterprise-grade equipment probably don't need it with write enabled. The only access to the router from the WAN side should be SSH using public-key authentication, and that only if you absolutely need it (you probably don't). That solves the vast majority of
Attack of the commie cyber bogeyman :o (Score:2)
Well maybe (Score:2)