News

Russian spies exploit unchanged passwords to probe Australian critical infrastructure

Australia’s cyber security agency has joined 12 international partners in warning that an FSB-linked hacking group has spent more than a decade quietly collecting sensitive information from poorly secured routers and other networking devices.

Australia’s hospitals, power networks, banks and government agencies have been urged to tighten their cyber defences after authorities revealed that Russian intelligence hackers are exploiting unchanged factory passwords and outdated equipment to penetrate critical infrastructure networks.

The Australian Signals Directorate has joined agencies from 12 allied nations in attributing the long-running campaign to Centre 16, a cyber operations unit within Russia’s Federal Security Service, or FSB.

According to the joint advisory, the state-sponsored hackers have been compromising vulnerable networking devices around the world since at least 2015. Their targets include organisations in communications, energy, financial services, healthcare, government and the defence industry.

Australian authorities fear the information gathered through the campaign could help Russian intelligence map sensitive networks, steal credentials and establish pathways for future espionage or disruptive attacks.

The operation relies heavily on a basic security failure. Many targeted routers were installed with factory-set passwords or other default credentials that were never replaced. Some were also left exposed to the public internet and continued running outdated software containing known vulnerabilities.

The hackers scan large blocks of internet addresses looking for devices that use older versions of the Simple Network Management Protocol, commonly known as SNMP. The protocol allows administrators to monitor and manage networking equipment.

Older versions can be accessed using a “community string”, which functions much like a password. When organisations leave a common or factory-default community string in place, attackers may be able to access the device without first exploiting a sophisticated software flaw.

After entering a router, the hackers instruct it to create and transfer a copy of its configuration file. These files, which can carry names such as “config.bkp” or “output.txt”, may contain account details, passwords, technical settings and information about the broader network.

That data can give an intelligence service a detailed view of how an organisation’s systems are structured. Passwords protected with weak or outdated hashing can also be cracked, allowing the hackers to move beyond the original router and penetrate deeper into the network.

The Australian Cyber Security Centre said communications providers, energy operators, financial institutions, healthcare services and government bodies were among the sectors facing the greatest risk. State and local government systems were highlighted alongside companies supporting the defence industrial base.

The campaign demonstrates how routine maintenance failures can create opportunities for highly capable intelligence agencies. In many cases, the equipment was installed and switched on, but its default settings were never reviewed, its software was not updated and its management services remained accessible from outside the organisation.

On older Cisco equipment, the Russian operators have also used previously disclosed vulnerabilities, including CVE-2018-0171. That flaw can affect Cisco devices running the Smart Install feature, which was intended to help administrators configure new equipment.

Smart Install was generally designed for use during the initial deployment of a device. Organisations were expected to turn it off when it was no longer needed, but the advisory indicates that some operators failed to do so.

Cyber security companies have tracked the Russian group under several names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.

The agencies said some of the group’s methods overlap with those used by other state-backed hackers. They drew particular attention to similarities with Salt Typhoon, a China-linked operation accused of infiltrating telecommunications providers in several countries.

“Many of these tactics, techniques and procedures overlap with activity by other malicious cyber actors,” the advisory said.

The shared methods mean the recommended security measures could protect organisations from more than one foreign intelligence service.

Authorities are urging operators to replace older versions of SNMP with SNMPv3, which supports stronger authentication and encryption. Organisations should also remove default credentials, restrict remote management access, install available security updates and disable Cisco Smart Install wherever it is not required.

Passwords stored on networking devices should be protected using stronger cryptographic methods. The advisory recommends Cisco Type 8 password hashing rather than older formats that attackers may be able to reverse or crack quickly.

Firewalls should also be configured to prevent people outside an organisation from connecting directly to router management ports. Access should be limited to authorised systems and administrators, with devices monitored for unusual configuration requests or outbound file transfers.

The warning follows heightened concern about Russian-linked cyber activity in Australia.

In January 2024, the federal government identified Russian national Aleksandr Ermakov as being responsible for the 2022 Medibank breach, which affected about 9.7 million current and former customers. Stolen information, including medical histories and details relating to mental health and drug addiction, was later published online.

The Medibank attack was separate from the FSB campaign described in the latest advisory, but it demonstrated the potential consequences when foreign cyber actors gain access to sensitive Australian systems.

The ASD and its international partners said device owners and network defenders should take immediate steps to identify exposed equipment and remediate vulnerable configurations.

The advisory was supported by agencies in the United States, United Kingdom, Canada, New Zealand, Czechia, Denmark, Estonia, Finland, France, Italy, Poland and Sweden.

Australian organisations that identify suspicious activity or believe they have been compromised have been asked to report the incident through the Australian Cyber Security Centre’s website or by calling 1300 CYBER 1.

Leave a Reply

Your email address will not be published. Required fields are marked *