Botnets made up of hacked home routers were used to launch distributed denial-of-service attacks against the five largest financial organizations in Russia.
The attacks occurred on Monday, Dec. 5, and were detected and mitigated by Rostelecom, Russia's state-owned telecommunications company. The attacks peaked at 3.2 million packets per second (Mpps) and the longest attack lasted for over two hours, Rostelecom reported Friday.
The company did not provide a bandwidth measurement for the attacks, but 3.2Mpps is not that much. DDoS mitigation providers regularly see attacks that exceed 100 Mpps and a very large September attack against the website of cybersecurity blogger Brian Krebs peaked at 665Gbps and 143Mpps.
This week's DDoS attacks against the Russian banks used the TCP SYN flood technique and originated from hacked home routers, according to Muslim Medzhlumov, director of Rostelecom's cybersecurity center.
A common trait for these routers is that all of them were using the CPE WAN Management Protocol (CWMP), also known TR-069. This is a protocol used by ISPs to remotely manage routers installed in their customers' homes.
A vulnerability was recently found in the TR-069 implementation from routers handed out to users by ISPs in multiple countries, including Deutsche Telekom in Germany, Eir in Ireland and TalkTalk in the U.K. Attackers quickly took advantage of the flaw to infect thousands of devices with malware and it's very likely that some of them were used to launch the attacks against the Russian banks.
Last Friday, the Russian Federal Security Service, the FSB, said that it foiled a large-scale cyberattack planned by a foreign intelligence service that aimed to destabilize the country’s financial system.
The attack was planned for Dec. 5, according to the FSB, and would have included spreading fake claims about a crisis in the country's financial system via social media and text messages. It's not clear whether DDoS was also part of the plan and if the attacks mitigated by Rostelecom are related to the foiled campaign.
DDoS attacks against banks are not unusual. In 2012, crippling DDoS attacks disrupted the online services of multiple banks in the U.S. In July 2015, three banks in the U.K. suffered similar disruptions. According to the FBI, financial institutions regularly receive extortion emails from hackers threatening to disrupt their services.