TP-Link Attack: Microsoft in the Crosshairs, Germany Lucky
The attack on TP-Link routers and access points aimed to take over Microsoft's Office cloud sessions. According to the BSI, Germany was little affected.
(Image: Skrypnykov Dmytro/Shutterstock.com)
The series of attacks on TP-Link routers and access points, announced on Tuesday by the UK's National Cyber Security Centre (NCSC), apparently targeted Microsoft Cloud. However, according to the Federal Office for Information Security (BSI), Germany was only affected to a small extent. Previously, the Federal Intelligence Service and the Office for the Protection of the Constitution had actively warned of attacks and provided indicators of compromise.
The APT-28 group, attributed to the Russian military intelligence service GRU, exploited a zero-day vulnerability discovered in 2024 (CVE-2023-50224) in its attack, security authorities confirm. The goal of the attacks, which redirected DNS requests to servers controlled by the attackers, was to take over actually effectively encrypted sessions to Microsoft's cloud services, the company reports in an extensive statement.
Germany Got Lucky
“Fortunately, in view of the successfully disrupted attack campaign, we assume a very small number of affected individuals in Germany,” says BSI President Claudia Plattner in response to a query from heise online. The Federal Office for the Protection of the Constitution initially estimated the number of affected devices at 30. The intelligence services have individually contacted identified affected parties – which was possible given the manageable number.
Videos by heise
Most of the affected TP-Link devices are several years old, some well over a decade. “Network devices like routers can become an entry point for attacks – regular hardening measures, especially closing known security vulnerabilities, are essential,” warns Plattner. “If attackers manage to penetrate the router, they can compromise not only the device itself but potentially all connected devices.” In security circles, the import ban on routers imposed by the US regulatory authority FCC in March is seen in close connection with the discovery of the GRU campaign.
However, for many of the affected models (complete list from NCSC), there have been no security updates from the manufacturer for a long time. For some of them, however, alternative software from the OpenWRT project is at least available. According to OpenWRT activists, these versions are not compromised in the current case. Spot checks by heise online have meanwhile shown that some of the affected models are still being sold in electronics stores in Germany.
(vbr)
