Routers in four countries have been hacked for up to a year, cybersecurity firm FireEye said on Tuesday, including some used by governments and major industries.
FireEye’s forensic team, Mandiant, found that 14 routers owned by Cisco in the Ukraine, the Philippines, Mexico and India were penetrated and infected with malware that FireEye named “SYNful Knock.” Cisco described it as “a type of persistent malware that allows an attacker to gain control of an affected device.”
“If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router,” FireEye Chief Executive Dave DeWalt told Reuters. “This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool.”
FireEye’s report expanded on the concept. “Imagine for a second that every bit of data going in and out of [global] companies could be compromised without any knowledge of it.”
It isn’t unusual for consumer routers to be hacked. The international hacking group “Anonymous” and others have done it to thousands of routers over the years. However, they are usually used in denial of service attacks intended to crash websites. Hacking routers for the purpose of espionage is out of the ordinary.
“That feat is only able to be obtained by a handful of nation-state actors,” DeWalt said, though he declined to say whether FireEye had identified the perpetrator.
China, Russia, Israel and the United States are seen as having the most advanced cyber capabilities in the world. FireEye reported this year that China was guilty of hacking the Indian government for the last several years, while Russia has the most strategic interest in the Ukraine.
The firm indicated that router hacking represents a serious long-term threat.
“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor). As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe,” FireEye noted.
However, FireEye also reported that aspects of the hacking didn’t require an advanced effort. “It is believed that the credentials are either default or discovered by the attacker in order to install the backdoor,” the company’s report said, which means that passwords on some of the routers were likely never changed from their factory setting.
