The federal government is warning users of home and small office routers to secure their devices as Russia state hackers proceed to mass-compromise them to be used in obscuring nefarious actions against sensitive organizations in the private and non-private sectors.
Each the Russian and Chinese governments have been compromising routers for years, sometimes in prolonged tugs-of-war to wrest control of devices the opposite has already commandeered. The US government has occasionally issued covert commands and brought other steps to disinfect routers. Google and other firms have also worked to disrupt the large botnets that control compromised routers in lockstep. The actions to this point are little greater than whack-a-mole exercises because the operators simply replace their botnets with latest ones.
Proxy networks: The go-to tool
“Russian Federal Security Service (FSB) Center 16 cyber actors proceed to use poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks,” the Cybersecurity and Infrastructure Security Agency said Monday. The hacking groups are tracked under various names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. The advisory was co-issued by governments from around the globe, including Australia, Denmark, Latest Zealand, and the UK.
The first technique of compromise the agency warned about was hackers scanning IP ranges with lively Easy Network Management Protocol (SNMP) agents that accept common or default authentication credentials. These scans are run by the very kinds of router botnets the actors try to enroll the targeted device in. By sending malicious traffic from spoofed addresses, the hackers can use the SNMP agent on poorly configured routers to run malware. SNMP allows users to gather and organize details about managed networking devices or to switch that information to alter device behavior.

