Hacked Routers

The Internet is a gigantic collection of linked networks that span the globe. The networks are connected using routers.

A router is a specialised computer that directs traffic on the Internet. As the Internet consists of hundreds of thousands of smaller networks linked together, the use of routers is absolutely necessary for it to function.

When you want to visit a particular website, you type the address of the site into your web browser. The address goes to the nearest router and the router decides where the required site is on the Internet.

The router also determines the most efficient path through all the networks to reach a particular destination... based on the traffic in different parts of the Internet and the available connections.

Cisco Systems Inc is an American multinational technology company that designs, manufactures, and sells networking equipment including most of the routers used on the internet. In fact, 85 percent of Internet traffic travels through Cisco's systems.

Hacked routers

Security firm FireEye announced recently that its researchers have discovered malware (dubbed SYNful) on 14 Cisco routers in the Ukraine, the Philippines, Mexico and India.

SYNful replaces the operating system used in Cisco's network equipment and thus opens a back door that provides a permanent foothold inside a targeted network.

This enables the hackers to harvest vast amounts of data while going undetected by existing cybersecurity defences, according to Mandiant, FireEye's computer forensic arm.

Cisco have confirmed that it has alerted its customers to these hacking attacks and said that it was working with Mandiant to develop ways for customers to detect the attacks.

Indeed Cisco has published intrusion detection signatures that customers can use to look for attacks in progress which, if found, can then be blocked.

If successful attacks are detected, customers will have to re-image the software used to control their routers.

It is highly probable that many other instances of these hacks have not been discovered, according to FireEye. Indeed it is likely that the infected routers are being used to infect other parts of the Internet.

Because the implanted software duplicates the normal functions of routers it could also affect routers from makers other than Cisco.

How bad is the threat?

Routers operate outside the perimeter of firewalls, anti-virus and other security tools used by organisations to safeguard data traffic.

This means that the estimated US$80 billion spent every year on cybersecurity tools is money down the drain where this form of attack is concerned.

According to Cisco, SYNful does not take advantage of any vulnerability in its own software. Instead it steals valid network administration credentials from the organisations targeted by the hackers so that it can install itself or it can be installed when the hackers gain physical access to Cisco routers.

No matter how it is installed, if a hacker seizes control of a router then he has control over the data of all the companies and government organisations that flow through that router.

According to FireEye, the affected routers have been used to hit multiple industries and government agencies. The company also says that the router logs indicate that the hacks began well over a year ago.

So what does all this imply for the ordinary consumer, who does his or her shopping and banking online?

The answer depends on who the hackers are working for.

The USA's global spy agency, the NSA (National Security Agency), has a habit of intercepting networking equipment and installing backdoors before the equipment reaches customers.

This came to light in May 2014. In 2015, Cisco began offering to deliver this kind of equipment directly to customers in order to avoid interception by the NSA or other miscreants.

The latest findings from FireEye suggest that the miscreants, whoever they are, are managing to implant malware on routers no matter how they are being delivered.

While it is likely that the NSA or some other state actor is the culprit, this is not at all certain, even though FireEye says that interception could only be done a handful of sovereign states. In this writer's view, the miscreants could well be a criminal gang intent on commercial gain.

Perhaps it would be as well to check with you bank to see whether they have any reservations regarding online banking in the light of these revelations.