Somebody hacked into data centers in Iran and Russia late last week by exploiting a vulnerable software tool for Cisco’s networking gear. A patch for the known vulnerability has been widely available, though apparently not applied in this case.
According to Iran’s Communication and Information Technology Ministry, the attack, which appeared to be aimed at internet service providers, hit some 200,000 router switches in all, including 3,500 locally, RadioFarda, the Persian language broadcaster of Radio Free Europe, reported. In Iran, the hackers put up an image of the U.S. flag with the caption “Don’t mess with our elections,” a likely reference to foreign meddling in the 2016 U.S. presidential election largely attributed to Russia.
Was the hit job in retaliation for cyber attacks on the U.S. by other nation states? As ever, it’s hard to say. There are conflicting reports on who or what is responsible for the cyber attack. Iran’s Fars news agency said the U.S. Computer Security Readiness Team pointed the finger at Russia but RadioFarda said it could find no such statement. Symantec blamed the Russian Dragon Fly cyber gang for the attack.
However, in an email note to Motherboard, the hackers, who called themselves “JHT,” said they wanted to send a message to nation state cyber attackers that they are “tired of attacks from government-based hackers on the United States and other countries.” Motherboard called the attack “relatively unsophisticated.”
Cisco Warning Ahead of Hack Attack
Cisco had earlier warned of a vulnerability in its switches, in which actors could exploit a protocol in the plug and play Cisco Smart Install client on Cisco IOS software and Cisco IOS XE software, a Cisco Talos blog post detailed. Smart Install is a tool to rapidly deploy new switches. An attacker could exploit the flaw in the client to reload an affected device and cause a denial of service or execute malicious code or prompt an infinite loop on the unit.
The vendor said it had noticed “specific advanced actors” targeting the switches. Some incidents in certain countries targeted critical infrastructure, the blog said. “As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths,” Cisco said.
Iran’s telecommunications minister Mohammad Javad Azari Jahromi blamed MAHER, the Persian acronym for the Computer-related Events Operation and Coordination Center, for failing to issue a “special warning” based on the Cisco alert, which was posted 10 days ahead of the April 6 attack, RadioFarda reported. Cisco issued a patch for the vulnerability affecting Smart Install on March 29 and an updated advisory on Monday, April 9. Azari-Jahromi said the attack mainly affected Europe, India and the United States, Reuters reported, citing state television.
Whoever the attackers are, they may have seen a distinct opening to pounce. In Iran, many companies freeze their network settings during holidays. The attack took place on Friday, April 6, which is a weekend day in Iran. MAHER apparently did not tell the businesses of the imminent offensive, RadioFarda reported.
Cisco advised that network administrators “need to be especially vigilant” to secure and monitor perimeter devices. “It can be easy to ‘set and forget’ these devices, as they are typically highly stable and rarely changed,” the vendor said in the blog post. “Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become very tempting targets.” Cisco "strongly encouraged” IT teams to remove the Smart Install client from devices where it is not used.