Cyber-espionage groups —also referred to as advanced persistent threats (APTs)— are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab.

"It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today.

"We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants."

The number of APTs using router hacks has increased

But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018.

For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.

Similarly, the Inception Framework APT, another nation-state-backed cyber-espionage operation, hacked home routers and built a network of proxies it could hide behind using an attack known as UPnProxy.

But these are just two of the known cases. There are many more other examples that are not known to the public. Raiu details one.

"From our own research, we've spotted the LuckyMouse APT [using routers] for hosting their command and control servers, which is kind of unusual," the expert said. "This is something that you don't see very often."

"We believe that they've managed to hack a router through an SMB vulnerability and this allowed them to upload their CGI scripts used for command and control."

Raiu: A lot of things happening in the background

LuckyMouse is a new APT. There is no public report detailing the LuckyMouse APT's activity, but this is one of the few cases where researchers have managed to link router hacks to a cyber-espionage group's operations. More incidents still need to be investigated, such as the mysterious case of synchronized router reboots.

"One thing interesting in Q1 [2018], we've seen a Govcert advisory on unusual reboots for a prominent router brand. In some cases, these reboots were taking place at the pretty much the same minute across multiple devices deployed in infrastructures, suggesting that it's somehow coordinated," Raiu said today.

"Unfortunately, there isn't much information available about this. We don't know if it's a malicious attack or if it's perhaps the hardware part, but definitely, it's something which hints at the fact that router attacks are hot and probably there are a lot of other things happening in the background that we do not see.

US Govt: Routers are a preferred attack vector

"To support this theory, the US government released a document that said that router attacks have been the preferred attack vector for a number of malicious actors for a number of years," Raiu added.

"And I think this is a quite significant statement because if you look at the number of reports about router malware and router attacks, it's actually very few of them. So saying that this is the preferred attack route this actually means that there's a lot going on that we don't see.

"So, all in all, I would say that we're seeing more and more of these router attacks, and for sure we will see even more in the upcoming months throughout the year and the upcoming years for sure."

Currently, Kaspersky classifies routers as a "growing areas of risk" for APT operations, next to the recent wave of newly-disclosed CPU vulnerabilities, such as Meltdown, Spectre, Chimera, RyzenFall, Fallout, and MasterKey, which fellow Kaspersky researcher Vicente Diaz sees as a threat as threat actors will learn to weaponize for attacks.