This publication and the abstract below was published by US-CERT on April 16, 2018. ICIT strongly encourages you to visit the US-CERT Publication Library to search for additional information security resources which are freely available.

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

Systems Affected

  • Generic Routing Encapsulation (GRE) Enabled Devices
  • Cisco Smart Install (SMI) Enabled Devices
  • Simple Network Management Protocol (SNMP) Enabled Network Devices


Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices.

NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.

Read the entire document here