Your old router could be a hacking group’s APT pawn
5 min read

Your old router could be a hacking group’s APT pawn

Your old router could be a hacking group’s APT pawn

VANCOUVER—If you’ve been looking for another reason to replace your old Wi-Fi router, here it is: A group of hackers could be using it to hide the origins of its online attacks.

Inception Framework’s attack methodology has evolved since it was first detected in 2014 in part by Waylon Grange, senior threat researcher at computer security company Symantec. In a newly released Symantec study he led, Grange says the hacker group is now using hijacked Wi-Fi routers, Internet of Things devices, and cloud services to cover its tracks.

Grange’s team, which worked with Akamai Technologies on the report, discovered that at least 4 million Wi-Fi routers around the world employ an old Universal Plug and Play, or UPnP, configuration that “listens” to the Internet for commands. And Inception Framework has hijacked at least 765,000 of them.

A partial list of the routers with the old, vulnerable configuration that Grange has seen used in recent Inception Framework attacks includes EFM Networks’ ipTime G504, Q504, Q604, N804, N604R, N6004R, N104M, V104, and A2004NS; Totolink’s A2004NS, N150RT, N300RG, N300RB, N150RA, and N300R+; OvisLink’s Evo-W311AR; Kozumi’s K-1500NR; EMP’s NG-IP04A3; Edimax’s 3G6200N; ZTE’s MF60; Sitecom’s WLR-1000; and unspecified D-Link routers.


Why hackers love your Wi-Fi (and how to protect it)
How to secure your home Wi-Fi
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
Secret to safer IoT is smarter Wi-Fi, hacker Caezar says (Q&A)
5 questions to ask before buying an IOT device

To create layers of obfuscation that hide an attack’s origins, Grange says, Inception Framework then reroutes its malicious messages at least three times through the hijacked routers before ultimately sending them to their targets, or allowing the hidden malware to communicate with its control server. (This method is similar to Tor’s “onion”-style layering.)

The group also uses cloud service providers and virtual private servers to further hide the origins of its malicious traffic, which Grange says has evolved into two-stage phishing attacks designed to carry out advanced persistent threats, or online attacks that remain hidden as they steal data.

Inception Framework sends emails disguised as messages on international policy, upcoming conferences, and industry-specific topics to fool people into opening malicious Microsoft Word documents or other malware on their computers or mobile devices, Grange says. Once the group has profiled the device and tricked the target into installing the hidden malware, it can begin stealing data.

Inception Framework’s APTs originally targeted organizations in South Africa, Kenya, the United Kingdom, Malaysia, Suriname, and other European and Middle Eastern countries. But by 2017, it had shifted its attention to others in Russia, Ukraine, Moldova, Belgium, Iran, and France. Its victims include individuals at organizations in energy, defense, aerospace, research, cybersecurity, media, and state diplomacy.

“[A] top-of-the-line router is a five-year-old router in some countries.”—Waylon Grange, senior threat researcher, Symantec

Because Inception Framework’s techniques have been successful in hiding its origins, attributing or discerning the goals of its attacks has been difficult. Grange speculated in 2014 that its APTs could be the work of “a medium-sized nation state, or possibly a resourceful and professional private entity.”

Today, Grange says Inception Framework is most active during the working hours of UTC +2, the time zone for Kyiv, Ukraine, with 30 percent of its attacks targeting organizations in Russia, 15 percent targeting organizations in Ukraine, and 9 percent targeting organizations in Moldova.

“A lot of the targets are Russian, and we very rarely see Russia-on-Russia activity,” Grange explained after presenting the research here on Wednesday at the cybersecurity conference CanSecWest.

Routers up to five years old are not vulnerable to being hijacked in the same way as the ones Inception Framework is currently using, Grange says, because few of them—if any—use the dated UPnP configuration. However, he says, a “top-of-the-line router is a five-year-old router in some countries.”

Inception Framework, Grange adds, “is the only actor I’ve seen using this technique, but that’s not to say that others might not start.”

Revelations about the hacker group’s use of older routers are only the latest to surface that highlight risks in using unpatched Internet-connected hardware. Legacy devices may be able to accomplish their primary functions, such as broadcasting wireless Internet throughout your home or office. But if the device can’t be updated with security patches, or it requires specific technical skills to upgrade, the likelihood of a hacker using it in an attack grows.

“The fact that routers are insecure is not a new phenomenon, but their importance in networking makes their security a chief concern.”—Joshua Meyer, analyst, Independent Security Evaluators

The Symantec study follows another report, published March 9 by Kaspersky Lab’s threat analysis team, detailing how malware dubbed Slingshot exploited an unknown vulnerability in MikroTik routers, mostly in the Middle East and Africa, in an APT attack. Researcher Alexey Shulmin says that although Kaspersky documented fewer than 100 victims, this complex attack hadn’t been seen before—and would have been very hard to protect against.

“As far as I know, there’s no antivirus for routers,” Shulmin told The Parallax at the company’s annual Security Analyst Summit.

Protecting routers, the central points of Internet access for most homes and small businesses, remains an incredibly important but challenging task, says Joshua Meyer, an analyst at Independent Security Evaluators, which tests the security of computers, Internet-connected devices, and networks.

Routers are commonly compromised by exploiting insecure default settings and account passwords,” he wrote in an email to The Parallax. “The fact that routers are insecure is not a new phenomenon, but their importance in networking makes their security a chief concern.”

Meyer cites myriad router security challenges, from models whose makers may not have invested in security, to a lack of automatic updates, to consumers’ tendency to ignore their routers until they stop working.

Newer routers are now shipping with potentially vulnerable communication services, such as the port-listening service that Inception Framework exploited, disabled by default. Others are shipping with more advanced security features built in and activated by default. But individual consumers must still keep tabs on their routers’ security patches, Meyer says. They should also keep tabs on when it’s time to upgrade.

“Just as old PCs using Windows XP are considered insecure,” he says, “routers without security updates are increasingly vulnerable, as new attacks are discovered.”

Grange and Meyer see few options to shut down obfuscation networks like Inception’s besides encouraging router owners to make sure they’re using current hardware with up-to-date security patches.

“If you can get the world to upgrade, that’d be great. But these machines are just going to stick around,” Grange says. “Why get a new router when an old one works? Why invent a new exploit when an old one works?”

Enjoying these posts? Subscribe for more