Russia state-sponsored hacking has well documented over the last few years, and with cyber attacks increasing it is no surprise that last week’s Singapore Summit, where President Trump met Kim Jong Un in a historic meeting, was targeted.
Cyber security researchers at F5 Networks, an American application services and security company, identified a series of cyber attacks targeting Singapore on 11th June 2018 and 12th June 2018.
They found that 88% of malicious traffic originated in Russia and targeted VoIP Phones (the kind found in many hotels) and IoT devices.
>See also: Inside the mind of a state-sponsored hacker
The attacks were primarily reconnaissance scans—looking for vulnerable systems–from a single Russian IP address (18.104.22.168), followed by actual attacks that came from both Russia and Brazil.
The top attacked target was a protocol known as SIP 5060, which is used by IP phones to transmit communications in clear text. The number two attacked port was telnet, consistent with IoT device attacks that could be within proximity to targets of interest. Other ports attacked include Port 7457, the same target used by the Mirai botnet and Annie to target ISP managed routers.
SIP is an IP phone protocol, 5060 is specifically the non-encrypted port, but it is unusual to see port 5060 as a top attack destination port. Indeed, Telnet is the most commonly attacked remote administration port by IoT attackers.
The security researchers from F5 Networks assumption is that the attackers were trying to gain access to insecure phones or perhaps the VoIP server.
It’s very likely the attackers were looking for any IoT device they could compromise that could provide them access to targets of interest where they could then spy on communications and collect data.
>See also: Nation State hacking: a long history?
Port 7457 is used by ISPs to remotely manage their routers. This protocol is targeted by Mirai and Annie, a Mirai spin off that caused millions of dollars of damage to European ISPs in late 2016.
If any devices in Singapore had this port open and were protected with default admin credentials, it is likely the attackers gained access and could see any traffic through those devices, collecting data, redirecting traffic, etc. in what’s known as a “Man in the Middle” attack.
Port 8291 was recently attacked by Hajime, the vigilante thingbot created to PDoS devices that would otherwise be infected by Mirai. If any devices in Singapore were listening on this port, and protected with vendor default credentials, it is likely the attackers could have gained access.
F5 Networks conclusion
It is unclear what the attackers were after with the SIP attacks, nor if they were successful. ‘We will continue to analyse the attack data we have collected and update this story as we make new discoveries,’ said the security researchers.
F5 Networks researchers do not have evidence directly tying this attacking activity to nation-state sponsored attacks, however, it is common knowledge that the Russian government has many contractors within Russia carrying out their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin.
In regards to mitigating the threat of these types of attacks, which in this case is internet of things devices and databases directly touching the internet, always:
• Protect remote administration to any device on your network with a firewall, VPN, or restrict to a specified management network, NEVER allow open communication to the entire internet.
• Always change vendor default administration credentials.
• Stay up to date with any security patches released by the manufacture.