A Russian state-backed cyber espionage group known as Static Tundra has been actively abusing a seven-year-old Cisco vulnerability to maintain long-term access to targeted networks.
Targets and Regions Affected
According to Cisco Talos, the campaign is directed at organizations in telecommunications, higher education, and manufacturing across North America, Europe, Asia, and Africa. Victims are chosen strategically, with special focus on Ukraine and its allies since the beginning of the Russo-Ukrainian war in 2022.
Vulnerability at the Center of Attacks
The exploited flaw is CVE-2018-0171 (CVSS score: 9.8), a critical bug in the Cisco Smart Install feature within IOS and IOS XE software. This weakness allows unauthenticated remote attackers to execute arbitrary code or cause denial-of-service (DoS) conditions.
This vulnerability has also been linked to attacks by China-aligned Salt Typhoon (Operator Panda) against U.S. telecommunications providers in late 2024.
Links to Russian Intelligence
Static Tundra is believed to be a sub-unit of Berserk Bear, Crouching Yeti, Dragonfly, Energetic Bear, and Havex, and is associated with FSB’s Center 16 unit. The group has operated for more than a decade, focusing on long-term intelligence collection.
FBI Advisory and Attack Techniques
The FBI issued a parallel advisory, confirming that FSB-linked hackers are exploiting unpatched Cisco Smart Install (CVE-2018-0171) and targeting outdated networking devices.
Their methods include:
- Collecting network configuration files from thousands of devices in U.S. critical infrastructure.
- Modifying configurations to maintain backdoor access.
- Deploying SYNful Knock, a malicious router firmware implant first revealed by Mandiant in 2015.
- Using SNMP commands to pull text files from remote servers and append them to configurations.
- Tampering with TACACS+ settings to bypass logging and evade detection.
Data Theft and Network Manipulation
Static Tundra has been observed setting up Generic Routing Encapsulation (GRE) tunnels to reroute sensitive traffic into attacker-controlled infrastructure. They also harvest NetFlow data and exfiltrate it via TFTP or FTP connections.
The campaign heavily relies on unpatched or end-of-life Cisco devices, using them as entry points for both primary and secondary operations. Once access is gained, attackers move deeper into networks to compromise additional systems for long-term surveillance.
Defensive Recommendations
Cisco urges organizations to:
- Patch CVE-2018-0171 immediately.
- Disable Smart Install if patching is not possible.
Cisco Talos researchers emphasize that the campaign aims to mass-collect configuration files that Russia can later exploit for its evolving strategic objectives.
