Today, security researchers at FireEye announced their discovery that hackers have managed to seize control of 14 routers in four countries spanning three continents: Ukraine, Mexico, India, and the Philippines. The hacked routers were all made by Cisco, but FireEye says “this attack could be possible on any router technology.”
The attackers breached the routers using a sophisticated form of malware which FireEye named SYNful Knock, as a reference to how the malware, once planted, can jump from one router to another using the devices' syndication functions. “We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor),” researchers Tony Lee and Bill Hau wrote on FireEye's security blog. “As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe.”
Routers are responsible for deciphering and then delivering (or “routing”) broadband information from your modem to your computer. As FireEye's Chief Executive Dave DeWalt told Reuters, “If you own [seize control of] the router, you own the data of all the companies and government organizations that sit behind that router.”
Firewalls, anti-virus programs and other anti-hacker security measures might protect your computer, smartphone, or similar device, but it won't protect the routers that deliver information to those devices. “Ironically, [routers] often get overlooked for endpoints, mobile devices, and servers when it comes time to respond to an attack,” FireEye said. “However, a router implanted with a backdoor provides attackers a very easy entry point to establish a foothold and compromise other hosts and critical data.”
If that comment about implanting backdoors sounds familiar, you might be thinking of the so-called “backdoor” mandates which the (ironically named, in such instances) National Security Administration, as well as the FBI and other branches of the government want tech companies to install on all encrypted communications technologies. This would leave a backdoor on each network so that government has full access to read secure information without your knowledge, and if that means hackers also get full access, that's a risk the feds are willing to force you to take.
In March, Microsoft issued a security advisory admitting that it was “aware of a security feature bypass vulnerability” which “affects all supported releases of Microsoft Windows,” in addition to any non-Microsoft software running on a part of Windows called Secure Channel.” That vulnerability was a security flaw known as FREAK, a not-quite-acronym which stands for “Factoring attack on RSA-EXPORT Keys.” FREAK made it possible for attackers to spy on supposedly secure communications. And it was the NSA's anti-encryption “backdoor” mandates that made the vulnerability possible.
Attacks ongoing for at least a year before discovery
Ironically, the NSA's and FBI's own websites were included among the major world websites vulnerable to FREAK attacks.
As Apple CEO Tim Cook said in June, “If you put a key under the mat for the cops, a burglar can find it too.”
That said, the hackers who used SYNful Knock to successfully attack those 14 Cisco routers didn't have to exploit any vulnerability to gain access. Instead, as Cisco said to Reuters, the attackers got in by either stealing valid login credentials from someone else, or by gaining physical access to the routers themselves.
A survey of computer logs suggests the attacks have been ongoing for at least a year before their discovery, and FireEye's Dave DeWalt told Reuters that multiple industries and government agencies were included among the targets.