The UK has warned that Russian hackers are hunting for routers with weak passwords. The fix is basic hygiene.
Cyber Security

The UK has warned that Russian hackers are hunting for routers with weak passwords. The fix is basic hygiene.

A joint alert from the NCSC and allied agencies on 13 July describes a Russian group scanning the internet for network kit still using default or weak credentials. Most of the defence is unglamorous.

13 July 20264 min read

On 13 July the UK's National Cyber Security Centre, together with agencies from eleven other countries, put out a joint warning about a Russian state hacking group going after routers and other network devices. The group, run out of the Russian FSB's Centre 16 and known by names like Berserk Bear and Static Tundra, is not breaking down doors with clever new tricks. For the most part it is scanning the internet for network kit that still uses default or weak passwords, and walking in. The named targets are large organisations in energy, government, communications and similar sectors, but the weakness being exploited is common in businesses of every size.

What they are actually doing

The method is closer to trying every unlocked door on a street than to cracking a safe. The group scans the internet for routers and switches that are reachable from outside and still use default, weak or reused passwords for SNMP, a standard tool for managing network equipment. Where it finds known flaws in Cisco devices, including the old Smart Install feature, it uses those too. Once it controls a router it can watch the traffic passing through, move deeper into the network and stay hidden. The uncomfortable part is how little skill most of it takes: the door was left open.

Why a smaller business should still care

It is fair to read 'Russian intelligence targeting critical infrastructure' and assume it has nothing to do with a firm of thirty people. The catch is that internet-wide scanning does not check your company size or industry before it knocks. An exposed router or firewall with a factory password gets found the same way whether it belongs to a power station or an accountant. Smaller businesses also get swept up as collateral, or used as a quiet stepping stone toward a bigger target. The equipment this warning is about, network kit that was plugged in years ago and never looked at again, is exactly what a lot of small offices are running.

The basics that shut this down

The defences here are unglamorous and cheap. Change the default and any shared passwords on your routers, firewalls and switches to strong, unique ones. Do not leave device management open to the internet. Where your kit supports it, use the current version of SNMP and switch off the older ones the attackers rely on. Keep the firmware on network devices up to date, Cisco especially. Almost all of this is built into Cyber Essentials, the UK government-backed scheme that sets a sensible security baseline, which is one reason the advisory itself points businesses toward it.

What to check this week

You do not need to understand SNMP to act on this. One question to whoever runs your network covers most of it: is any of our network equipment reachable from the internet, and does any of it still use a default or shared password? If nobody is sure, that uncertainty is the finding, and it is worth settling before it settles itself.

What this means for your business

Network equipment is the part of IT nobody thinks about until it stops working, which is exactly why it drifts out of date and keeps its factory settings. This warning is a prompt to give yours a look. For the firewalls and routers we manage, we set strong credentials, keep management off the public internet, patch the firmware and check for the kind of exposure this group hunts for, and we can get you Cyber Essentials certified so those habits are built in rather than remembered. If you cannot say for certain that your network kit is locked down, that is the thing to fix this week.

#WEARECOBALT

Ready when you are.

Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.