Cisco sad it had alerted its customers to the attacks in August

Spyware snooping software found on Cisco web routers

Cyber-spies have managed to plant snooping software in Cisco routers, located on three continents, which direct traffic around the Internet.

Security research firm FireEye says it has so far found 14 instances of the router implants in India, Mexico, Philippines and Ukraine, adding that this may be just the tip of the iceberg and that the problem could potentially affect routers from other makers.

A highly sophisticated form of malicious software was installed onto the devices, but Cisco - the world's top supplier of routers - said the attacks were not due to any vulnerability in its own software. Instead, the attackers stole valid network administration credentials from targeted organisations or managed to gain physical access to the routers.

"We've shared guidance on how customers can harden their network and prevent, detect and remediate this type of attack," Cisco said in a statement.

The malicious programme, which duplicates normal router functions as well as spying on traffic, has been nicknamed "SYNful Knock" in reference to its ability to jump from router to router using the device's syndication functions.

FireEye said the infected hardware devices uncovered so far include Cisco routers 1841, 2811 and 3825, all of which Cisco has discontinued selling but still supports. The firm confirmed it had alerted customers to the attacks in August.

Network logs from infected routers suggest the attacks have been taking place for at least a year, FireEye's CEO Dave DeWalt said, and the attacks have hit multiple industries and government agencies.

Routers are attractive to hackers because they operate outside firewalls, anti-virus and other security tools, but while consumer routers have been hit by malware in recent years, until now attacks on commercial routers have largely been considered theoretical threats, DeWalt said.

"If you own [seize control of] the router, you own the data of all the companies and government organisations that sit behind that router," he added. "This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool."

DeWalt said there are only a small number of nations with cyber-intelligence services sophisticated enough to launch such attacks on network equipment, including those of Britain, China, Israel, Russia and the USA.

"That feat is only able to be obtained by a handful of nation-state actors," DeWalt said, while declining to name which countries he suspected might be behind the Cisco router attacks.

Dealing with infected routers will require technicians to re-image all of the software controlling the router as the malware actually replaces the basic firmware, Fireye said.

The company said it had worked with Cisco to quietly notify governments and affected parties before releasing the news. "We thought it was best to release this so everyone can fix their routers as fast as possible," DeWalt said.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles