Russian Cyber Attacks on Singapore Summit

  • Figures from F5 Labs report 88% of malicious traffic originated in Russia and targeted VoIP Phones and IoT devices

Cybersecurity researchers at F5 Networks, an American application services and security company, have released a report which identifies a series of cyber-attacks targeting Singapore on 11th June 2018 and 12th June 2018.

It’s no secret Russia has been launching a steady barrage of coordinated cyber-attacks against the US as many sanctions have been issued against Russian officials and businesses since the 2016 Presidential election. Beyond official sanctions, the US-Cert issued an alert in April regarding Russia maintaining persistent access to small office and home office routers warning of widespread espionage.

Specifically, 88% of malicious traffic originated in Russia and targeted VoIP Phones (the kind found in many hotels) and IoT devices.

Technical Details:

  • Russia accounted for 88% of the attacks against Singapore on 12th June 2018
  • The attacks were primarily reconnaissance scans—looking for vulnerable systems–from a single Russian IP address (188.246.234.60), followed by actual attacks that came from both Russia and Brazil.
  • The top attacked target was a protocol known as SIP 5060, which is used by IP phones to transmit communications in clear text.
  • The number two attacked port was telnet, consistent with IoT device attacks that could be within proximity to targets of interest.
  • Other ports attacked include Port 7457, the same target used by the Mirai botnet and Annie to target ISP managed routers.

About the attack:

  • SIP is an IP phone protocol, 5060 is specifically the non-encrypted port.
    • It is unusual to see port 5060 as a top attack destination port.
    • F5 assessment is that the attackers were trying to gain access to insecure phones or perhaps the VoIP server.
  • Telnet is the most commonly attacked remote administration port by IoT attackers.
    • F5 reports that it is very likely the attackers were looking for any IoT device they could compromise that could provide them access to targets of interest where they could then spy on communications and collect data.
  • Port 7457 is used by ISPs to remotely manage their routers. This protocol is targeted by Mirai and Annie, a Mirai spin off that caused millions of dollars of damage to European ISPs in late 2016.
    • If any devices in Singapore had this port open and were protected with default admin credentials, it is likely the attackers gained access and could see any traffic through those devices, collecting data, redirecting traffic, etc. in what’s known as a “Man in the Middle” attack.
  • Port 8291 was recently attacked by Hajime, the vigilante thingbot created to PDoS devices that would otherwise be infected by Mirai. If any devices in Singapore were listening on this port, and protected with vendor default credentials, it is likely the attackers could have gained access.

Conclusion

It is unclear what the attackers were after with the SIP attacks, nor if they were successful. F5 will continue to analyze the attack data and update this story as we make new discoveries.

F5 does not have evidence directly tying this attacking activity to nation-state sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia carrying out their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin.

In regards to mitigating the threat of these types of attacks, which in this case is internet of things devices and databases directly touching the internet, F5 advises to always:

  • protect remote administration to any device on your network with a firewall, VPN, or restrict to a specified management network, NEVER allow open communication to the entire internet.
  • always change vendor default administration credentials
  • stay up to date with any security patches released by the manufacturer

About F5 Labs

F5 Labs combines the threat intelligence data we collect with the expertise of our security researchers to provide actionable, global intelligence on current cyber threats—and to identify future trends. We look at everything from threat actors, to the nature and source of attacks, to the post-attack analysis of significant incidents to create a comprehensive view of the threat landscape. From the newest malware variants to zero-day exploits and attack trends, F5 Labs is where you’ll find the latest insights from F5’s threat intelligence team.

Email This Post