The FBI and Cisco Talos have issued a joint warning about a renewed campaign by Russian state-sponsored hackers targeting vulnerable Cisco networking equipment.
The cyber-espionage group, tracked as Static Tundra and linked to Russia’s FSB Center 16, is exploiting a seven-year-old vulnerability to breach critical infrastructure networks globally. Cisco Talos assesses with high confidence that Static Tundra is a subset of the broader Berserk Bear group and has been active since at least 2015. Its operations are characterized by stealth, persistence, and a focus on maintaining undetected access to facilitate long-term intelligence gathering.
The FBI’s Internet Crime Complaint Center (IC3) bulletin attributes the campaign to the FSB’s Center 16 unit, also known in cybersecurity circles as Berserk Bear or Energetic Bear. Cisco Talos published a concurrent technical analysis confirming the activity and highlighting the extensive exploitation of CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco IOS software that allows unauthenticated remote access and code execution on unpatched or end-of-life (EOL) devices.
The actors are specifically targeting devices still running Smart Install and Simple Network Management Protocol (SNMP) versions 1 and 2, both of which are unencrypted and insecure by today’s standards. According to both agencies, the campaign involves harvesting startup configuration files, enabling unauthorized access, modifying SNMP settings, and in some cases deploying the SYNful Knock firmware implant, a backdoor tool first uncovered in 2015.
The compromised systems span telecommunications providers, higher education institutions, and manufacturers across North America, Europe, Africa, and Asia. Static Tundra appears to prioritize targets based on evolving Russian strategic interests, including heightened focus on Ukrainian networks since the start of the Russia-Ukraine conflict.
Cisco emphasized that the affected systems are typically those running outdated firmware and lacking current security patches. Many of these devices are already designated as EOL and no longer receive security updates. Despite Cisco issuing a patch for CVE-2018-0171 in 2018, many organizations have yet to implement it or retire vulnerable equipment.
The observed attack chain begins with the exploitation of the Smart Install protocol to enable a local TFTP server, from which configuration files are exfiltrated. These may contain sensitive data such as plaintext SNMP community strings or user credentials. In some cases, access was gained simply by using default or easily guessed SNMP community strings like “public” or “anonymous.”
Once inside, the attackers use SNMP to modify device configurations, establish GRE tunnels for traffic redirection, and create persistent access by installing local user accounts or deploying implants. To evade detection, Static Tundra modifies TACACS+ and access control configurations to conceal unauthorized activity and maintain long-term access.
Organizations should patch CVE-2018-0171 on all Cisco devices with Smart Install enabled, and disable the feature using no vstack on devices that can’t be updated. It’s also important to scan for the SYNful Knock implant using tools from Cisco and Mandiant. To reduce exposure, replace insecure protocols like SNMPv1/v2, Telnet, and HTTP with SNMPv3, SSH, and HTTPS. Ensure SNMP uses strong, unique community strings and disable write access unless absolutely necessary.
Organizations that suspect compromise are urged to inspect device configurations, monitor for indicators of compromise (IOCs), and report incidents to their local FBI field office or through IC3.gov.
Leave a Reply