Why SMBs With Old Routers ‘Now Are A Target’ For Nation-State Hackers

All businesses that work with critical infrastructure providers should take notice, after the disclosure of a China-linked attack that compromised hundreds of small business and home routers, a cybersecurity veteran tells CRN.

A recent China-linked router hacking campaign demonstrates that even SMBs have become a major target for nation-state threat actors, according to a critical infrastructure security veteran.

The incident, revealed this week by the FBI, underscores the fact that companies of any size that serve as suppliers to U.S. critical infrastructure providers are at risk, said Michael Welch, a former CISO within critical infrastructure sectors.

Such small businesses “may not think they're a target,” Welch, who is now a managing director at consultancy MorganFranklin Consulting, told CRN. “But because they are a supplier to a critical infrastructure, they now are a target.”

[Related: US Agencies Must Disconnect Ivanti VPN Devices Amid ‘Substantial Threat’: CISA]

On Wednesday, the FBI disclosed that a recent operation succeeded at disrupting the efforts of Volt Typhoon — which is backed by the Chinese government, according to the agency — to compromise U.S. critical infrastructure providers. Targets included providers of critical services including communications, energy, water and transportation, the FBI said.

Specifically, Volt Typhoon was found to have hijacked “hundreds” of small business and home routers based in the U.S. as part of the scheme, according to the FBI. The routers together formed an assembly of malware-infected devices, known as a botnet, which the threat group could use for launching an attack against U.S. critical infrastructure, the FBI said.

Volt Typhoon acquired these “launching pads” for critical infrastructure attacks through exploiting vulnerabilities in small office and home office routers, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI said Wednesday.

The “vast majority” of routers in the Volt Typhoon botnet were end-of-life routers from Cisco and NetGear, which are no longer supported with security updates, the FBI said.

In a statement, Cisco said it is “aware of reported attacks on some End-of-Life networking products.” For customers, “it’s important to realize the security risk of running such products. As risks evolve, so does the design of products to stay ahead of malicious actors,” the company said.

CRN has reached out to NetGear for comment.

‘A Larger Target’

The use of old, unsupported routers by SMBs is not uncommon due to the cost for upgrading, according to Welch, who heads MorganFranklin’s utilities, industrial and critical infrastructure security unit.

“If they don't think they're a target, then they're not going to upgrade,” he said. “But now they just made it easy for the bad actors to compromise that device and make it part of that botnet.”

Nation-state threat actors know that if they directly target a critical infrastructure provider on their own, and it comes from an IP address in China or North Korea, they're going to be blocked, Welch said.

But if they’re able to use domestically located routers, it will likely just be assumed that what they’re doing is harmless scanning activity, he said.

It’s also relatively easy for threat actors to determine which businesses are suppliers to critical infrastructure providers, according to Welch, who formerly worked in critical infrastructure sectors at companies including electric and gas utility Duke Energy and foods supplier OSI Group.

Thus, if your company works with critical infrastructure customers, but thinks it’s not a target itself, the reality is that “you are,” he said. “The bad actors don't really care. You're an IP address to them.”

Ultimately, “if you are a supplier to the critical infrastructure space, it does make you a larger target,” Welch said.

Cybercrime And Critical Infrastructure

Welch also said he agreed with concerns aired this week by Robert M. Lee, co-founder and CEO of industrial cybersecurity firm Dragos, about the heightened threat to critical infrastructure from cybercriminals.

In comments during a press briefing, Lee said that a group such as Volt Typhoon would likely have the resources to develop toolsets that are reusable across many different sectors of critical infrastructure.

One such toolset, known as Pipedream, was discovered by Dragos in 2022 before it could be used. Cybersecurity firm Mandiant said at the time that the toolset was “consistent with Russia's historical interest in ICS.”

Pipedream set off alarm bells because it could be deployed against “any different industry,” Lee said — making it a “highly scalable” way to “interact with industrial networks and environments to cause physical destruction.”

Right now, “what concerns me is that other countries are working on very similar capabilities, and [Pipedream] still exists in that country,” Lee said. "And these capabilities are going to start proliferating to criminals."