Attackers Infect Cisco Routers with “SYNful Knock” Backdoor to Steal Data

Researchers have discovered significant, clandestine cyber attacks in countries across three continents where more than a dozen compromised Cisco routers have been found operating in the wild.

Security researchers at FireEye have uncovered more than a dozen compromised routers operating in the wild as a part of attackers’ attempts to infiltrate corporate and government networks in four countries, according to a blog entry by security firm FireEye.

“This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool,” noted Dave DeWalt, FireEye Chief Executive.

The published article by FireEye can be found here.

The malware used for the compromise– ‘SYNful Knock’ has been discovered by FireEye in at least 14 cases across four countries: Mexico, the Philippines, Ukraine, and India.

It is important to note that the attacks are entirely possible on any routers. However, every instance of a real-world infection discovered has been found on routers manufactured by Cisco, the world’s top supplier of routers.

The Critical Threat Posed by a Compromised Router


“The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems,” researchers at FireEye wrote.

“This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead.”

What was once considered a profound risk theoretically, malware-infected & compromised routers in the real-world brings the spotlight on the biting threat such a scenario poses.

Routers primarily operate outside the restrictions of firewalls and other security software because they are fundamentally used to connect computer networks to the Internet. It’s easy to see why such devices are attractive to attackers.

“If you own (compromise) the router, you own the data of all the companies and government organizations that sit behind that router,” DeWalt contends while speaking to Reuters.

It was only last month when Cisco urged users to be vigilant against malware in an advisory. The company noted that it had detected instances of malicious router ROM images being used in the wild.

State-sponsored Hackers under Suspicion

Cybersecurity experts including DeWalt claim that only a select group of nations with cyber intelligence capabilities are capable of sophisticated attacks on network equipment such as routers. The countries include China, Israel, Britain, Russia and the United States.

That feat is only able to be obtained by a handful of nation-state actors, said DeWalt.

FireEye claims it went public with the discovery only after informing Cisco in the past and working quietly in the background to notify affected companies, networks, and governments.

The discovery if all the more profound when network logs show that infected routers may have facilitated these clandestine attacks for at least a year, according to FireEye.

Images from Pixabay and Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.