Technology

Governments warn Russian hackers are targeting home and office routers

CISA says an FSB-linked hacking unit is exploiting vulnerable routers to mask operations against public and private targets.

Hana Yoshida

By Hana Yoshida · Markets Reporter

3 min read

Governments warn Russian hackers are targeting home and office routers
Photo: Ars Technica

U.S. cyber officials are warning people and small businesses to secure internet routers as Russian state hackers keep breaking into poorly protected devices. The concern is that compromised home and small office routers can help attackers hide activity aimed at sensitive public- and private-sector organizations.

The Cybersecurity and Infrastructure Security Agency said Monday that hackers tied to Center 16 of Russia’s Federal Security Service are exploiting vulnerable and misconfigured networking devices around the world. According to CISA, the activity has affected networks across multiple critical infrastructure sectors.

The warning was issued with international partners, including authorities in Australia, Denmark, New Zealand and the United Kingdom. CISA said the same Russian hacking activity is tracked by researchers and governments under several names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.

Routers used as cover

Compromised routers are valuable to state-backed hackers because they can be turned into proxy networks, according to the government advisory and prior reporting by Ars Technica. By routing traffic through ordinary consumer and small-business devices, attackers can make malicious activity harder to trace back to its real origin.

The warning focuses on routers in homes and small offices, a category often described as SOHO devices. These devices can be attractive targets when they are poorly configured or left exposed with known weaknesses, CISA said.

Ars Technica has reported that Russian and Chinese government-linked hackers have targeted routers for years. In some cases, according to Ars Technica, hacking groups have fought over the same devices after one actor had already taken control.

U.S. authorities have at times acted directly against router-based botnets. Ars Technica has reported that the U.S. government has used covert commands and other measures to remove malware from compromised routers, including devices associated with Chinese operations.

Private companies have also tried to break up router botnets. Google and other firms have worked to disrupt residential proxy networks that rely on large numbers of hijacked devices, according to Ars Technica.

Repeated disruption, repeated rebuilding

Those efforts have not ended the problem. Ars Technica reported that takedowns and cleanup campaigns have often resembled a recurring cycle, with operators rebuilding botnets after earlier networks are disrupted.

CISA’s latest warning places Russian FSB-linked activity in that continuing pattern. The agency said the hackers are still taking advantage of exposed networking devices and are doing so opportunistically across the world.

The practical message from the advisory is direct: users of home and small office routers should secure their devices. CISA framed the issue as a risk not only to the owners of those routers, but also to organizations that may later be targeted through traffic routed across compromised equipment.

This story draws on original reporting from Ars Technica.