FORT MEADE, Md. – The National Security Agency (NSA) has joined the Federal Bureau of Investigation (FBI) and other co-sealers to publish a Cybersecurity Advisory (CSA), “Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations,” outlining observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation recommendations for EdgeRouter users and other network defenders.
The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, also known as APT28, Fancy Bear, and Forest Blizzard, has used compromised Ubiquiti EdgeRouters to harvest credentials, collect digests, proxy network traffic, and host spearphishing landing pages and custom tools. Academic and research institutions, embassies, defense contractors, and political parties are among the victims.
“No part of a system is immune to threats,” said Rob Joyce, NSA’s Director of Cybersecurity. “As we have seen, adversaries have exploited vulnerabilities in servers, in software, in devices that connect to systems, in user credentials, in any number of ways. Now, we see Russian state-sponsored cyber actors abusing compromised routers and we are joining this CSA to provide mitigation recommendations.”
Ubiquiti EdgeRouters have a user-friendly, Linux-based operating system that makes them popular among both consumers and malicious cyber actors. The devices often ship with default credentials and have limited firewall protections. Additionally, EdgeRouters will not automatically update their firmware unless configured by the consumer.
Recommended mitigations in the CSA include performing a hardware factory reset, upgrading to the latest firmware version, changing any default usernames and passwords, and implementing strategic firewall rules on WAN-side interfaces.
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations
MediaRelations@nsa.gov
443-634-0721