Hackers last Friday disrupted internet access in Russia and Iran with an attack that left a digital message: an image of the US flag accompanied by the words, “Don’t mess with our elections.”
The messages were written on Cisco network switches, which came under assault from a mysterious hacking group calling itself “JHT.”
In an email, the group told Motherboard: “We were tired of attacks from government-backed hackers on the United States and other countries.”
“We simply wanted to send a message,” the group added.
To attack the network switches, the hackers exploited a publicly known bug in Cisco’s Smart Install Client software that can let you execute code and trigger an outage. Cisco has released a patch, but not everyone has had a chance to install it.
The security firm Kaspersky Lab noticed the disruption and said it mainly hit “the Russian-speaking segment” of the internet by attacking data centers installed with the network switches. As a result, some websites briefly went down.
In russia as well. Photo from Russian telecom operators telegram channel. pic.twitter.com/7SaMLiDEeN
— Denys Fedoryshchenko (@nuclearleb) April 7, 2018
Iranian authorities reported suffering a disruption too. About 3,500 switches were affected, but most of the network was back online by Saturday, the country’s technology ministry said.
The hackers most likely programmed a bot to search for the Cisco switches by scanning the open internet, according to Kaspersky Lab. Cisco itself published a blog post last Thursday, mentioning that 168,000 unpatched systems were probably carrying the vulnerability.
In the same blog post, Cisco warned that nation-state actors, including those from Russia, were exploiting the vulnerability to attack victims. The incidents have occurred in “multiple countries” and targeted critical infrastructure.
Friday’s attack occurred as Russia has been blamed for not only interfering in the 2016 US election, but also for hacking the the country’s energy industry. However, the Kremlin has denied any involvement.
So far, the mysterious hacking group JHT has remained largely mum on last Friday’s attack. Messages to the group’s email address at firstname.lastname@example.org were not immediately returned.