Security Technology Website Traffic

Hacked Routers

Image courtesy of (Stuart Miles) /

The Internet is a gigantic collection of linked networks that span the globe. The networks are connected using routers.

A router is a specialized computer that directs traffic on the Internet. As the Internet consists of hundreds of thousands of smaller networks linked together, the use of routers is absolutely necessary for it to function.

When you want to visit a particular website, you type the address of the site into your Web browser. The address goes to the nearest router and the router decides where the required site is on the Internet.

The router also determines the most efficient path through all the networks to reach a particular destination… based on the traffic in different parts of the Internet and the available connections.

Cisco Systems is an American multi-national technology company that designs, manufactures and sells networking equipment including most of the routers used on the internet. In fact, 85 percent of Internet traffic travels through Cisco’s systems.

Hacked Routers

Security firm FireEye announced recently that its researchers have discovered malware (dubbed SYNful) on 14 Cisco routers in the Ukraine, the Philippines, Mexico and India.

SYNful replaces the operating system used in Cisco’s network equipment and thus opens a back door that provides a permanent foothold inside a targeted network.

This enables the hackers to harvest vast amounts of data while going undetected by existing cyber-security defenses, according to Mandiant, FireEye’s computer forensic arm.

Cisco has confirmed that it has alerted its customers to these hacking attacks and said that it was working with Mandiant to develop ways for customers to detect the attacks.

Indeed Cisco has published intrusion detection signatures that customers can use to look for attacks in progress which, if found, can then be blocked.

If successful attacks are detected, customers will have to re-image the software used to control their routers.

It is highly probable that many other instances of these hacks have not been discovered, according to FireEye. Indeed it is likely that the infected routers are being used to infect other parts of the Internet.

Because the implanted software duplicates the normal functions of routers it could also affect routers from makers other than Cisco.

How Bad is the Threat?

Routers operate outside the perimeter of firewalls, anti-virus and other security tools used by organizations to safeguard data traffic.

This means that the estimated US$80 billion spent every year on cyber-security tools is money down the drain where this form of attack is concerned.

According to Cisco, SYNful does not take advantage of any vulnerability in its own software. Instead it steals valid network administration credentials from the organizations targeted by the hackers so that it can install itself or it can be installed when the hackers gain physical access to Cisco routers.

No matter how it is installed, if a hacker seizes control of a router then he has control over the data of all the companies and government organizations that flow through that router.

According to FireEye, the affected routers have been used to hit multiple industries and government agencies. The company also says that the router logs indicate that the hacks began well over a year ago.

So what does all this imply for the ordinary consumer, who does his or her shopping and banking online?

The answer depends on who the hackers are working for.

The USA’s global spy agency, the NSA (National Security Agency), has a habit of intercepting networking equipment and installing backdoors before the equipment reaches customers.

This came to light in May 2014. In 2015, Cisco began offering to deliver this kind of equipment directly to customers in order to avoid interception by the NSA or other miscreants.

The latest findings from FireEye suggest the miscreants, whoever they are, are managing to implant malware on routers no matter how they are being delivered.

While it is likely that the NSA or some other state actor is the culprit, this is not at all certain, even though FireEye says that interception could only be done a handful of sovereign states. In this writer’s view, the miscreants could well be a criminal gang intent on commercial gain.

Perhaps it would be as well to check with you bank to see whether they have any reservations regarding online banking in the light of these revelations.

About the author


Paul D Kennedy

Paul Kennedy is the marketing manager of Jupiter Support (Ireland). He can be contacted by e-mail to You can also go to where you can use chat or Skype to talk with a technician free of charge. Alternatively you can call 0766803006 to speak to a technician and get free diagnosis/advice. Jupiter Support only charges a fixed fee of €19.99 to rid your computer of any and all viruses on a no-fix/no-fee basis.