Did nation-state hackers target computer networks of Iran by exploiting a flaw with Cisco routers?
Hackers have attacked networks in a number of countries including data centres in Iran where they left the image of a US flag on screens along with a warning: “Don’t mess with our elections”, the Iranian IT ministry said on Saturday.
“The attack apparently affected 200,000 Cisco router switches across the world in a widespread attack, including 3,500 switches in our country,” the Communication and Information Technology Ministry said in a statement carried by Iran’s official news agency IRNA.
The statement said the attack, which hit internet service providers and cut off web access for subscribers, was made possible by a vulnerability in routers from Cisco which had earlier issued a warning and provided a patch that some firms had failed to install over the Iranian new year holiday.
A blog published on Thursday by Nick Biasini, a threat researcher at Cisco’s Talos Security Intelligence and Research Group, said: “Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client.”
And there is a suspicion that these “advanced actors” could have been working for a nation-state.
“Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol. Some of these attacks are believed to be associated with nation-state actors, such as those described in US CERT’s recent alert. As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths,” read the blog further.
On Saturday evening, Cisco said those postings were a tool to help clients identify weaknesses and repel a cyber attack.
The Cisco Smart Install Client is a legacy utility designed to allow no-touch installation of new Cisco equipment, specifically Cisco switches. But it seems that hackers have found how to exploit this, as the Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands.