Russian government-linked hackers are exploiting unpatched Cisco networking devices to spy on critical infrastructure organizations.
The attackers are mainly targeting organizations in the telecommunications, higher education and manufacturing sectors, with known victims in a number of geographic regions, including North America, Asia, Africa and Europe.
The group carrying out the attacks is believed to be part of the Russian Federal Security Service's (FSB) Center 16, and has a number of names, including Static Tundra, Berserk Bear, Energetic Bear and Dragonfly.
It's exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running a seven-year-old unpatched vulnerability in Cisco Smart Install (SMI).
"For years, Static Tundra has been compromising Cisco devices by exploiting a previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171) that has been left unpatched, often after those devices are end-of-life," said Cisco Talos researchers Sara McBroom and Brandon White in an advisory.
"We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government. This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time."
Over the last year, the group has been spotted collecting configuration files for thousands of networking devices associated with US organizations across critical infrastructure sectors.
On some vulnerable devices, it modified these configuration files to enable unauthorized access, through which they then carried out reconnaissance in their victims' networks - revealing their interest in protocols and applications commonly associated with industrial control systems.
The group has been compromising network devices for more than ten years, focusing particularly on devices accepting legacy unencrypted protocols like SMI and SNMP versions 1 and 2.
It's also made use of custom tools against certain Cisco devices, such as the malware known as SYNful Knock in 2015.
"Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering," said McBroom and White.
"This is demonstrated by the group’s ability to maintain access in target environments for multiple years without being detected."
Cisco Talos is urging customers to apply the patch for CVE-2018-0171 or, if that's not an option, to disable Smart Install.
"The threat extends beyond Russia's operations — other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations," McBroom and White warn.
"Threat actors will continue to abuse devices which remain unpatched and have Smart Install enabled."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- The convergence of network and security – how it helps achieve business outcomes
- Russian hackers tried to lure diplomats with wine tasting
- ‘All US forces must now assume their networks are compromised’ after Salt Typhoon breach
-
What is cluster computing and how it can help your enterprise?Explainer Knowing what cluster computing is – and isn't – is the first step towards understanding its advantages
-
Advania acquires Gompute to bolster AI and HPC capabilitiesNews Gompute customers will be able to leverage Advania’s broader AI capabilities, resources, and local expertise across Northern European markets
-
HPE eyes enterprise data sovereignty gains with Aruba Networking Central expansionNews HPE has announced a sweeping expansion of its Aruba Networking Central platform, offering users a raft of new features focused on driving security and data sovereignty.
-
Cisco polishes its platform but the network is still kingAnalysis Cisco still believes its integrated platform will drive new value for customers, but its historic strength in networking is where it will have the edge in the AI era
-
‘Divorced from reality’: HPE slams DOJ over bid to block Juniper deal, claims move will benefit Cisco
News HPE has criticized the US Department of Justice's attempt to block its acquisition of Juniper Networks, claiming it will benefit competitors such as Cisco.
-
Cisco wants to capitalize on the ‘DeepSeek effect’News DeepSeek has had a seismic impact, and Cisco thinks it has strengths to help businesses transition to AI-native infrastructure
-
Cisco Live EMEA 2025: All the news and updates as they happenLive Blog Stay up to date with the latest information live from Amsterdam at Cisco’s annual EMEA conference
-
Fortify your future: How HPE ProLiant Servers deliver top-tier cyber security, management, and performanceWhitepaper Deploy servers with a secure approach
-
Fortify your future with HPE ProLiant Servers powered by IntelWhitepaper Enhance your security and manage your servers more effectively
-
Architecting enterprise networks for the next decadeWhitepaper A new paradigm in network architecture
