Skip to navigation
Latest News

London firm at centre of hack redirecting 300,000 routers


By Nicole Kobie

Posted on 3 Mar 2014 at 17:01

A London-registered company appears to be at the centre of a massive attack that's redirecting traffic from 300,000 routers, a security firm has said.

Florida-based security firm Team Cymru said it was examining a "widespread compromise" of consumer and small office/home office (SOHO) routers in Europe and Asia.

In January, the firm uncovered a "SOHO pharming" campaign that had overwritten DNS settings on 300,000 routers. That allows attackers to redirect traffic to sites and domains controlled by them, "effectively conducting a man-in-the-middle attack," the company's report said.

If your router's been hijacked and is pointing to someone else's DNS server, you really have no trust over what you're actually getting

"If [your router's] been hijacked and is pointing to someone else's DNS server, you really have no trust over what you're actually getting - you could be getting the bad guy's version of Google, or your bank site," Team Cymru spokesman Steve Santorelli told PC Pro. "It's very clever."

Company links

The routers' DNS settings were changed to two IP addresses, both of which are for machines that are physically in the Netherlands, but registered with UK company 3NT Solutions, he said.

"The analogy I'd use is there's a bank robbery in Utrecht, for example, and the police stop the car," Santorelli said. "The car used is actually there physically in Holland, but it's registered to someone in the UK."

The website for 3NT Solutions was offline at the time of writing and the company could not be reached for comment. Its registered address is a Mailboxes Etc location in central London.

The company caught the eye of security researcher Conrad Longmore, who posted his "reservations" about 3NT Solutions on his Dynamoo blog last week.

"Alright, let's cut a long story short because we know who this is... it's Serbian web host who have featured on this blog several times before all the way back to 2011," he said. "Similar records exist on all of 3NT's ranges, linking them firmly with"

Longmore described 3NT/ as a "known bad actor" that ran malicious and "spammy" sites - and advised admins to "block all their IPs on sight".

Attractive Target

Cymru's Santorelli stressed that the router attack was serious. "It's not new as an issue to the InfoSec community but this is one of the biggest we've seen recently as it's quite insidious," he said.

Santorelli said that rather than delay reporting the flaw, his firm notified authorities and took it public immediately. "This is kind of a sea-change in the way people have been approaching security," he said. "This isn't the first time this kind of thing's been spotted, but it's certainly the biggest in recent memory."

The attack affects devices from several manufacturers, the firm said said, adding that "consumer unfamiliarity" with configuring routers and weak default settings makes the devices a "very attractive target".

Indeed, security researchers at Tripwire spotted a series of flaws in routers last year, while D-Link rushed out a patch to fix a back door to admin settings.

Santorelli said the problem wasn't a hardware flaw, but weaknesses in ZyXEL's widely used router firmware, ZynOS.

"It's about the people who write the original firmware... this is ubiquitous firmware," he said. "It's on all these very good value, cheap routers - it's really a firmware vendors' problem than a hardware manufacturers' problem."

However, he added that Cymru Team didn't want to single out any one company or manufacturer as the cause of the problem, saying such attacks were a "natural evolution" in the security battle. "It's just another thing you need to check - but unfortunately there isn't antivirus for routers."

It's not just about password control and antivirus on your laptop, now you've got to look at all... stages of how the packet gets from your Google search, out to Google, and back again

"It's not just about password control and antivirus on your laptop, now you've got to look at all... stages of how the packet gets from your Google search, out to Google, and back again," Santorelli said.

Mitigation techniques

To stay safe, Santorelli recommended checking your router's DNS settings, ensuring that the IP addresses you end up at are legitimate, and updating your firmware.

The report added that if the attackers' servers are shut down, it could cause trouble for victims. "As with the DNSChanger malware, unwitting victims are vulnerable to a loss of service if the malicious servers are taken down, as both primary and secondary DNS IP addresses are overwritten, complicating mitigation," the report added.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Unsafe at any speed?

Sounds pretty serious. I thought that a department of Ofcom or Mi6 or GCHQ were employed to check that routers imported into the UK were not vulnerable? Especially the likes of TP-Link.

Can you confirm that only ZyXel routers are affected at this point in time? Ta.

By Natasha26 on 4 Mar 2014

They're all waiting...

If you had developed a nasty virus or whatever for XP, would you release it now, or wait until April the 9th...

By roblightbody on 4 Mar 2014


Read the text, it refers to dlink routers and specifically any routers using firmware supplied by zyxel to other companies so many different makes of routers.

By irturner on 6 Mar 2014

Sussed it

That would be GCHQ reading your e-mails then.


By MeesterChris on 8 Mar 2014

Leave a comment

You need to Login or Register to comment.



Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.