For its first year in office, the Trump administration seemed soft on Russia’s hyper-aggressive hackers, reluctant even to point out they’d brazenly meddled in the US election. Then, just two months ago, the White House suddenly came out swinging, calling out Russia for its massively disruptive NotPetya malware and intrusions into the US power grid, and imposing new sanctions in response. Now, in its latest warning to Russia over its hacking bonanza, the White House may have confused the message again, this time in the other direction: By scolding Russia not for its uniquely destructive hacking activities, but by all appearances for the kind of cyberespionage many governments do—including the US.
An alert issued jointly by the Department of Homeland Security, the White House, the FBI and the UK’s National Cyber Security Center on Monday warned that hackers tied to the Russian government have attempted to compromise millions of routers and firewalls across the internet, from enterprise-focused network equipment to the humble routers in homes and small businesses across the world. The report warns that the attacks “enable espionage and intellectual property [theft] that supports the Russian Federation’s national security and economic goals,” and offers technical advice about how to detect and stop those attacks.
“When we see malicious cyberactivity, whether Kremlin or other nation state actors, we are going to push back,” said White House cybersecurity coordinator Rob Joyce in a call with reporters. (The call came just hours before reports surfaced that Joyce is resigning his White House position.) “We condemn this latest activity in the strongest possible terms,” added senior DHS official Jeanette Manfra.
‘Saying that home routers with default passwords are getting owned is like saying that thieves are picking up unattended money in a public area.’
Jake Williams, Rendition Infosec
But those weighty statements, for some in the intelligence and security community, actually muddy the message to Russia. After all, US government hackers—and particularly those in NSA—perform broad intrusions across the world for espionage, too. Often they even hack routers like the ones mentioned in Monday’s alert, based on classified leaks and cybersecurity researchers’ findings. And calling out Russia for the same sort of spying the US routinely does as well only blurs the red lines that Western governments have demanded Russia and other nations respect—prohibitions like disruptive attacks on civilian infrastructure or meddling in elections.
“It’s weird. Why are they making such a fuss about something that even the US must be engaged in?” asks Thomas Rid, a professor of strategic studies at Johns Hopkins’ School of Advanced International Study. “This is the dirty secret of infosec, that everyone’s doing it.”
Just last month, for instance, researchers at Russian security firm Kaspersky revealed a hacking campaign known as Slingshot that spied on more than a hundred targets around the world, in many cases by infecting MicroTik routers. That operation was later revealed to be a US Special Operations Command effort to monitor members of ISIS using internet cafes across Africa and Middle East. “So, that Slingshot APT was Russian?” quipped Kaspersky researcher Aleks Gostev in a tweet responding to Monday’s DHS alert. Previous classified leaks have shown that the NSA and CIA hack routers too, both big and small.
Former NSA hacker Jake Williams points in particular to the DHS alert’s warning that Russian hackers hijack home routers when their owners don’t change the default password—a form of hacking he considers almost laughably mundane, performed by even unskilled cybercriminals. “Everybody hacks routers,” Williams says. “Saying that home routers with default passwords are getting owned is like saying that thieves are picking up unattended money in a public area.”
Rather than a serious warning of a new line-crossing cyberattack by the Russian government, Williams says he sees the latest alert as part of a larger geopolitical message. After all, the Trump administration’s relations with the Kremlin have been cooling, due in part to opposing interests in the ongoing war in Syria. “I don’t see why we’re making such a big deal of this, other than politics,” Williams says.
‘This is the dirty secret of infosec, that everyone’s doing it.’
Thomas Rid, Johns Hopkins University
Meanwhile, Russia has repeatedly crossed red lines with its cyberattacks over the last few years, from its blackout-inducing cyberwar in Ukraine to its leaks of stolen Clinton campaign documents in the 2016 presidential election to the NotPetya outbreak that paralyzed civilian infrastructure and companies around the world, now believed to be the most costly cyberattack in history. Lumping in routine router-hacking with those misdeeds seems to confuse the stakes.
In fairness, Monday’s DHS alert does hint that Russia’s router hacking could be part of a similarly disruptive hacking campaign rather than espionage alone; it warns that the router attacks “potentially lay a foundation for future offensive operations.” That could mean anything from data-destroying malware to disruption of physical infrastructure like oil and gas facilities or power grids.
As for the message it sends, Robert Lee, a former NSA analyst focused on threats to critical infrastructure says the joint statement on the attacks suggests that there may be another, more dangerous element to the router-hacking campaign that’s not spelled out in the alert. “The US government is signaling to the Russian government it knows what it’s doing and that it’s something they’re not happy about,” Lee says. “They’re calling out that routers are being hacked with follow-on activity that’s concerning.”
Lee points out that the attacks the alert calls out have been documented for months, including in an attack against the Pyeongchang Olympic Games.
Exactly why the US and UK government chose to put out a joint statement about them now—along with some heated rhetoric—isn’t so clear. “Have they seen something that looks more like planning for disruption and sabotage?” asks Johns Hopkins’ Rid. “Is it enough that Russia has a track record of breaking things?” Until Western countries spell out the definition of that bad behavior consistently, the rules they want to set for civilized behavior online will remain frustratingly inscrutable.