Ciaran Martin, chief executive of Britain’s National Cyber Security Center, said Russia had targeted “millions” of devices in both countries, often seeking to hack into individual homes or small businesses or to control their routers.
“Once you own the router, you own all the traffic, to include the chance to harvest credentials and passwords,” said Howard Marshall, deputy assistant director of the cyber division at the Federal Bureau of Investigation. “It is a tremendous weapon in the hands of an adversary.”
In particular, both governments said, the Russians were seeking to exploit the increasing popularity of internet-connected devices around homes and businesses — the so-called internet of things — “the kind of thing you and I have in our homes,” Mr. Joyce said.
The officials said the Kremlin was often utilizing what were known as man-in-the-middle attacks, in which hackers secretly inserted themselves into the exchange of data between a computer or server in order to eavesdrop, collect confidential information, misdirect payments or further compromise security.
“Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” the British government said in a prepared statement. “Multiple sources including private and public-sector cybersecurity research organizations and allies have reported this activity to the U.S. and U.K. governments.”
But the officials said that the extent of Russia’s successful penetration of Western computer networks was not fully clear, nor was the Kremlin’s ultimate intent. Russia might be tapping into millions of home or small business computers and other devices to gain the ability to use them later in a coordinated attack on government computers or critical infrastructure, the officials said.
The goal “is not always to steal information,” Mr. Joyce said. “Sometimes it is to facilitate other operations” or “for further aggressive acts.”
The warnings issued Monday, including the release of technical guidance to businesses and individuals, had been in the works for a long period and do not reflect any response to recent events, the officials said. But the finger pointing toward Moscow also comes at a moment of escalating tensions.
Russian diplomats have castigated the United States, Britain and France for their airstrikes last week on what they said were chemical weapons facilities in Syria, where the Kremlin is backing the government of President Bashar al-Assad. Russia and the Western governments have also recalled diplomats in a back and forth over British accusations that the Kremlin used a nerve agent to try to assassinate a former Russian spy living near London.
In Washington, both Democrats and Republicans have criticized President Trump for what they say is his reluctance to hold Russia accountable for its hacking of the Democrats during the 2016 presidential election; American intelligence agencies have also blamed the Kremlin for those attacks.
Against that backdrop, Washington and London have been moving together for months to publicize allegations of other malicious cyberactivities by the Kremlin. In February, they blamed Russia for a cyberattack the previous June that was known by the name NotPetya. Initially aimed at Ukraine, the attack spread through computer networks around the world, doing what the White House said was billions of dollars in damages in the United States, Europe and Asia.
Both the United States and Britain have accused the Kremlin of trying to penetrate the electrical grid in both countries, although without yet doing any damage.
After describing the Russian threats, officials of both governments on Monday repeatedly urged individuals and businesses to better protect their own networks. “We need to place as much emphasis on security as we do on ease and functionality,” Mr. Joyce urged manufacturers.