FBI Boston thwarts Russian attack on small business routers.
This January (2024) the Boston FBI field office thwarted a Russian GRU-connected attack on small business routers that compromised the devices and networks to create a global spying platform.
See the article here:
This time it was Ubiquity devices that the Russian military unit known as ‘Fancy Bear’ targeted, but a quick search by this author revealed that the type of attack could also be possible on Palo Alto, Cisco Meraki and Fortigate firewalls. While the speculation is that this can be widely used for Russia in the war against Ukraine, the following takeaways should really be the focus for the biotech industry;
Russia and other cyber espionage groups are targeting small businesses
It was fairly recent history where many of us tended to believe that only the large companies were victims of cyber attacks. Indeed, in the early 2000s cyber attacks were expensive and less small organizations were as ‘online present’ as we are today. Clearly much has changed in the small business sector, but much has changed by the way attackers operate as well. We are seeing a significant ramp-up in nation state-funded groups that now operate in a much more organized fashion with vastly greater resources. This combination has lead the hacking groups to engage startups and small businesses with an exponentially larger frequency and success rate.
Biotechs are vulnerable
We also learn that due to the encroachment of attacks on small businesses, the life science community is not immune. Just days before the announcement by the FBI was an announcement by Russian leader Vladimir Putin that his government is developing “cancer vaccines and immunomodulatory drugs”.
Article here: https://www.reuters.com/business/healthcare-pharmaceuticals/putin-says-russia-is-close-creating-cancer-vaccines-2024-02-14/
With little details and a well documented history of ‘embellishing’ capabilities this statement holds very little weight in this author’s mind, however the point is not lost that pharma dominance is a valuable asset for many global leaders. This puts the crosshairs squarely on organizations within the US, and Cambridge specifically.
This threat scales and does not rely on an attacker targeting a company directly
The interesting tidbit that binds the above points together is that this attack was perpetrated using a vulnerability that scales. As I will reference frequently, any technology that enables fast replication and automation is as powerful as it is dangerous. We leverage this all the time with cloud computing, but we should always remember that while scaling up with a mouse click is easy, so too is accidentally making all your data publicly available by one small system misconfiguration.
In this case, the attackers used a botnet to replicate itself using this vulnerability. This made the attacked networks come to them rather than having to find a vulnerable entity and begin an attack. Imagine being in the attacker’s shoes and having already-compromised networks appear in your inbox ready for traversing and browsing.
Using default passwords is bad but the practice is obviously still in use
This vulnerability was able to propagate so effectively because it relied on known published default passwords. California SB-327 came into effect Jan 1 of 2020 and required unique default passwords for all ‘connected devices’. Link here https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
Nevertheless, many organizations use default, weak or breached passwords and often without their knowledge. This is particularly common as startups get off the ground. Why focus on complicated security if there is nothing yet of value to protect? Why audit the services provider used to configure the hardware? We make these mistakes and then have to compensate later at a greater cost.
The US government did a good thing, worked as expected, but don’t rely on this
Part of what I find absolutely mind blowing here is that the FBI actually hacked these routers to fix the vulnerability. This is not unheard of and was court-sanctioned and done with the collaboration of Ubiquity in this case. It turns out, the FBI actually remotely patches private devices somewhat often, and there are even private (anonymous but assumed to be benevolent) parties that have been known to hack into vulnerable devices and secure them (even leaving a friendly message behind in the process).
That said, do we really want anyone to access our equipment and if so do we hope that the ‘good guys’ get there first? If you are an enterprise leader and you agree with the preceding statements your business is likely already in jeopardy for reasons other than technology. The better option is to take control over our security and the orginizations future.
Remediation, even if nothing went wrong, is still damaging because time and money are required
Another point to consider, is that even if all this went well, the patch the FBI implemented locked all parties (including the device owner) out of the router’s remote management feature. This means that at some point the enterprises that were woefully behind on their security now need to schedule downtime and fix the problem. The calculation I use with clients is as follows:
The average biotech salary across the US according to biospace.com as of this writing is $142,885 for professionals in the industry.
Without including the cost of any other benefits, this means that a 30-person organization is paying out their talent roughly $2,140 every working hour.
Three days of downtime (for example) would cost a startup $51,360 before any other costs are taken into account. Other costs can vary widely but often include R&D delays, partnership relationship risks, reputation damage, legal fees and IT fees. This certainly illustrates the need for careful balance of prevention in a startup’s journey.
You are ultimately responsible for your own security
At the end of the day, we learn that each organization has a responsibility for it’s own security. Using default device and platform settings is often OK, but still requires an experienced expert to review, even at a basic level. Some things to watch out for include
default passwords
default firewall or stale firewall rules
delayed patching or no patching
misconfiguration
Keep these in mind for yourself but also remember that regular checkups are a requirement and have a good ally on your side.