Static Tundra, a Russian state-sponsored cyber espionage gang, has been actively exploiting a seven-year-old security flaw in Cisco software. Both the company and the FBI have now disclosed details of malicious activity.
According to Cisco Talos, the threat intelligence arm of the global tech conglomerate, Static Tundra has been choosing its victims based on their “strategic interest” to Russia. Recently, the criminals have been attacking Ukraine and its allies.
The vulnerability itself is named CVE-2018-0171. It’s a critical flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software that can potentially allow an unauthenticated, remote attacker to trigger a denial-of-service condition or execute arbitrary code.
Although the vulnerability has been patched already, customers are also advised to disable Smart Install if patching is not an option.
“We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government,” said Cisco Talos.
“This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.”
Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering.
Essentially, the threat actors have been found collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors.
According to Cisco Talos, Static Tundra is likely a sub-cluster of another group, “Energetic Bear” which was linked to the Russian Federal Security Service’s (FSB) Center 16 unit in a 2022 US Department of Justice indictment.
Although the vulnerability has been patched already, customers are also advised to disable Smart Install if patching is not an option.
The FBI also said in an advisory that it has observed FSB cyber actors “exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.”
“On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices. The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems,” said the FBI.
Your email address will not be published. Required fields are markedmarked