Infected Hardware Devices Include Cisco Routers 1841, 2811 and 3825

Security researchers say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected.

In the attacks, a highly sophisticated form of malicious software, dubbed SYNful Knock, has been implanted in routers made by Cisco (CSCO.O), the world's top supplier, U.S. security research firm FireEye (FEYE.O) said on Tuesday.

Routers are attractive to hackers because they operate outside the perimeter of firewalls, anti-virus, behavioral detection software and other security tools that organizations use to safeguard data traffic. Until now, they were considered vulnerable to sustained denial-of-service attacks using barrages of millions of packets of data, but not outright takeover.

"If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router," FireEye Chief Executive Dave DeWalt told Reuters of his company's discovery.

-Excerpt

Yup...

http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/

"A serious threat to the future

We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor). As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe.

Addressing this new threat vector will require a different type of approach and will certainly reveal information about previously unknown compromises.

The full details of the attack are included in our report detailing SYNful Knock, which provides detection signatures and active hunting techniques for enterprises to implement."

https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html