Unknown hackers have exploited a loophole in the Cisco protocol to strike internet service providers worldwide, in a coordinated attack against data centers, leaving a US flag and a message reading “Don't mess with our elections.”

Iranian data centers became some of the latest victims of the global bot attack late on Friday. Disabling router switches for internet service providers at data centers, the hackers, in a malign stunt, cut off web access for subscribers in their respective countries. “Don't mess with our elections,” the message on the compromised systems read, next to US flag, Iran’s IT Minister Mohammad-Javad Azari Jahromi revealed in a Twitter picture message.

بررسیهای اولیه حاکی از آن است که در تنظیمات مسیریابهای مورد حمله قرار گرفته، با حک پرچم ایالت متحده، اعتراضی درباره انتخابات آمریکا صورت گرفته است. دامنه حملات فراتر از ایران است. منشا حملات در دست بررسی است pic.twitter.com/L8erHB52j1 — MJ Azari Jahromi (@azarijahromi) 6 апреля 2018 г.

“The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country,” the Ministry of Communication and Information Technology said in a statement on Saturday, IRNA reported.

While Iran managed to neutralize the intrusion within hours, with no data being compromised, Azari Jahromi noted that some 55,000 devices were affected in the United States and 14,000 in China. In addition, several providers across Russia reportedly experienced the internet service attack, which affected the content of Russian news outlets and Twitter users.

Read more

While the perpetrators of the attack have yet to be discovered, someone in control of an email address used in the cyberattacks told Motherboard on Saturday that they were simply retaliating against countries who they think ‘interfered’ in election processes in a number of countries.

“We were tired of attacks from government-backed hackers on the United States and other countries,” the message said.

In a blog post on Friday, Russian cybersecurity firm Kaspersky Lab said the ongoing “bot” attack was exploiting a vulnerability in a piece of software called Cisco Smart Install Client, which hackers use to “run arbitrary code on the vulnerable switches.” Their actions resulted in some downtime for data centers, which led to some popular sites being down for the duration of the attack.

“The malefactors then rewrite the Cisco IOS image on the switches and change the configuration file, leaving a message that reads 'Do not mess with our elections' there. The switch then becomes unavailable,” the cybersecurity firm said. “There’s a bot that is searching for vulnerable Cisco switches via the IoT search engine Shodan and exploiting the vulnerability in them. Once it finds a vulnerable switch, it exploits the Smart Install Client, rewrites the config – and thus takes another segment of the Internet down.”

On Thursday, Cisco did, in fact, admit that “several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol.” The full extent of the attack is not yet known.

Think your friends would be interested? Share this story!