Iran claims US exploited networking equipment backdoors during strikes — says devices from Cisco and others failed despite blackout in attack that 'indicates deep sabotage'

Network cables and hub — (Image credit: Getty)

Iranian state media has alleged that equipment from Cisco, Juniper, Fortinet, and MikroTik failed during U.S. and Israeli military operations against Iran. The report, which claims that “American ‘black boxes’ failed at zero hour of the attack on Isfahan,” concerns devices that Iran claims either rebooted or dropped offline despite the country having already been disconnected from the global Internet, a fact it says "indicates deep sabotage."

Iranian media speculates that hidden firmware or backdoors allowed remote sabotage, possibly triggered by satellite or at a pre-set time. None of the claims has been independently verified, and given that the claims originate from state media, some skepticism is merited.

Meanwhile, the U.S. hasn’t addressed Iran's specific allegations, but has publicly confirmed that it conducted cyber operations against Iran's communications infrastructure. Chairman of the Joint Chiefs of Staff, General Dan Caine, said during a March 2nd Pentagon briefing that U.S. Cyber Command and U.S. Space Command were the “first movers” in so-called Operation Epic Fury, the military campaign launched against Iran at the end of February. Caine said coordinated space and cyber operations disrupted Iranian communications and sensor networks before strikes began.

Article continues below

Iran’s claims are unverified, but each of the four vendors it named — Cisco, Juniper, Fortinet, and MikroTik — has a documented record of security issues. NSA documents leaked by Edward Snowden in 2014, for example, demonstrated the agency’s Tailored Access Operations unit intercepting Cisco routers during shipping and installing surveillance implants before repackaging them. Cisco never cooperated with the program and later began shipping equipment to decoy addresses to disrupt interception.

Juniper Networks, in 2015, meanwhile, disclosed that it had found unauthorized code in the ScreenOS firmware running on its NetScreen firewalls, which could allow attackers to bypass authentication and decrypt VPN traffic. Fortinet acknowledged in 2016 that older versions of FortiOS contained hardcoded SSH passwords granting remote access, though it characterized the problem as a management authentication issue. As for MikroTik, its routers have been a persistent target for botnet operators, with Tenable documenting a vulnerability chain in 2019 that could enable an attacker to downgrade firmware and create a persistent backdoor.

Chinese state media seized the opportunity to pile on Iran’s claims, with the country’s National Computer Virus Emergency Response Center, which has repeatedly claimed that the U.S. fabricated the Volt Typhoon hacking campaign to deflect from its own cyber operations, promoted the allegations as further evidence of American backdoors in networking hardware. Five Eyes intelligence agencies have attributed Volt Typhoon to Chinese state-sponsored actors targeting Western critical infrastructure.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.

14 Comments Comment from the forums

davisch

This is believable and reminds me of the classic NSA problem. Half of their purpose is to weaken the cyber defense of other nations and part the other half is to strengthen ours. Because everyone uses the same equipment and security protocols, and governments prioritize offensive postures over defensive ones, they are constantly working against their own (and our) interests.

To maintain dominance, they don't disclose security vulnerabilities they discover, or even infiltrate the supply chain to install backdoors, which leaves our own equipment vulnerable to the same exploits if someone else manages to discover them.

If you're unfamiliar, look up "NSA RSA BSAFE" as an example. Because our government doesn't really change, we can only imagine the vulnerabilities they are forcing on to us today to "keep us safe" that won't be known for at least another 20-30 years.
Reply
bill001g

They are getting paranoid it seems. They seem to think the USA planned the attack that happened on march 31 weeks before so they could sabotage the routers before they were disconnected. Their second theory is somehow they were controlled by satellite even though the router has no ability to communicate with a satellite.

It all depends on how disconnected they really were. Obviously they were doing something with them or they would not care if they crashed or rebooted if they had already turned them off. It would be much more likely if they left the network up internally to iran that someone compromised the routers from inside iran.

Although people hate snowden it was him that reviled the tampering with equipment and the collection of internet data by many countries including the USA. Now that it is encrypted they likely just pay google to hand over its massive collection of spying.
Reply
call101010

I dont care about Iran being hacked . it is a war at the end. but if the US Government can do this , then OTHERS could do it as well if they discover how. and this is not acceptable at all.
Reply
call101010

Wait until we discover that hidden code inside ANY US made CPU, hidden deep in the wafer ...
Reply
alan.campbell99

Microtik gets targeted by botnets? Hmm, I was considering their gear as an option should I have to replace my current one.
Reply
bill001g

alan.campbell99 said:
Microtik gets targeted by botnets? Hmm, I was considering their gear as an option should I have to replace my current one.
Nobody at home needs a "actual" router. The only function you really need is NAT and that by itself prevent any access to your internal machines. If you get a very simple router and rig it so it can only be admin from a local ethernet connection it should be close to impossible to compromise.

The problem is many modern home routers have all the new AI functions and garbage like auto software update and cloud config backups.

Not sure how popular third party firmware is for routers but that is all open source so no hidden back doors. A simple mini pc running a linux router image is also a good option if you need more than just NAT.
Reply
aldaia

Wondering how a country like Iran has CISCO (and others) routers? CISCO didn't even exist when the Iranian revolution happened.
Weren't they sanctioned to acquire such equipment?
Was the equipment acquired trough backchanels?
Isn't that a huge negligence from their part?
If I was in charge of Iran's network security I'll buy only Huawei and other Chinese routers. Which probably also have their own backdoors, but are much less likely to be used against Iran.
Reply
Rand0m_Guy

bill001g said:
Nobody at home needs a "actual" router. The only function you really need is NAT and that by itself prevent any access to your internal machines. If you get a very simple router and rig it so it can only be admin from a local ethernet connection it should be close to impossible to compromise.

The problem is many modern home routers have all the new AI functions and garbage like auto software update and cloud config backups.

Not sure how popular third party firmware is for routers but that is all open source so no hidden back doors. A simple mini pc running a linux router image is also a good option if you need more than just NAT.
Wrong on so many levels:
First sentence "you dont need a router", 2nd sentence "if you get a router"... what?

All you need is NAT, wrong again, and as long as we want to be technical and throw out buzz words we once heard someone say, your home network doesnt use NAT it uses PAT. All NAT does is translate a private IP address to a public IP address, and the router you claim you dont need, but then you claim you do need is needed to perform NAT. NAT does not offer any security, just because I can no longer see your inside local address doesnt mean I cant connect to you or hack your system... Hence the need for a stateful firewall that block all incoming traffic unless established. Wait, still not secure, I could use a MITM and pretend to be an establish connection and get in, etc etc etc.

Your premise that nobody at home need a router is ridiculous unless you are plugging a single endpoint (PC, Game console, etc...) direct into the modem, even then I would still have an actual router for 1 single device instead of exposing my device to the entire world. Bottom line, NAT is not security, not even a little!
Reply
call101010

aldaia said:
Wondering how a country like Iran has CISCO (and others) routers? CISCO didn't even exist when the Iranian revolution happened.
Weren't they sanctioned to acquire such equipment?
Was the equipment acquired trough backchanels?
Isn't that a huge negligence from their part?
If I was in charge of Iran's network security I'll buy only Huawei and other Chinese routers. Which probably also have their own backdoors, but are much less likely to be used against Iran.

Huawei and other Chinese routers are relatively new in the market compared to CISCO and other US communication products ...
Reply
bill001g

Rand0m_Guy said:
Wrong on so many levels:
First sentence "you dont need a router", 2nd sentence "if you get a router"... what?

All you need is NAT, wrong again, and as long as we want to be technical and throw out buzz words we once heard someone say, your home network doesnt use NAT it uses PAT. All NAT does is translate a private IP address to a public IP address, and the router you claim you dont need, but then you claim you do need is needed to perform NAT. NAT does not offer any security, just because I can no longer see your inside local address doesnt mean I cant connect to you or hack your system... Hence the need for a stateful firewall that block all incoming traffic unless established. Wait, still not secure, I could use a MITM and pretend to be an establish connection and get in, etc etc etc.

Your premise that nobody at home need a router is ridiculous unless you are plugging a single endpoint (PC, Game console, etc...) direct into the modem, even then I would still have an actual router for 1 single device instead of exposing my device to the entire world. Bottom line, NAT is not security, not even a little!
I normally ignore new guys but I can't resist. The devices people have in the houses are not routers. They have no ability to "route" traffic between subnets. Most support only a single lan subnet and translate that using NAT to the single wan IP. They are better called gateways. They also have no ability to ran any kind of routing protocol such as BGP or OSPF.

I was just being general calling it NAT almost nobody on this forum could tell you the difference between PAT and NAT.

The way it is implemented on home routers is almost exactly how a statefull firewall works to block established sessions. If any packet comes in and there is no corresponding entry in the table that matches the remote IP and port number the packet is dropped. This is actually a advantage that the box does not actually support full NAT. The code is stupid and simple so less chance to hack it.

There is no way you are going to do MiTM attacks in modern internet unless you have already compromised a ISP. Almost all modern routers have a feature that allows traffic to be dropped that has a source address when it is inbound on a interface that does not have a outbound route in the routing table. This is mostly to prevent traffic loops or reduce garbage traffic as a routing table change propegates between routers. It does have the other benfit is it prevent spoofed IP addresses. You would have to have your attack server on the same subnet as the machine you were trying to spoof. The ISP router would likely also detect this as duplicate IP so it is not as simple as you think to do MITM attacks.
Reply

Show more comments