Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A threat actor backed by the Russian Federal Security Service has been observed exploiting a seven-year-old vulnerability in older Cisco networking devices to gather information on Ukraine and its allies.
The United States FBI and Cisco’s Talos Intelligence group have warned organisations worldwide of a state-backed Russian threat actor taking advantage of a historical vulnerability in end-of-life Cisco networking devices running Cisco Smart Install.
According to the FBI, the hacking group is a unit belonging to the Russian Federal Security Service’s Centre 16.
The group is tracked as Static Tundra by Talos and also known as Berserk Bear and Dragonfly by other cyber security analysts.
“In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors,” the FBI said in a 20 August advisory.
“On some vulnerable devices, the actors modified configuration files to enable unauthorised access to those devices. The actors used the unauthorised access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems.”
The threat actor, which is also targeting entities outside the United States, is targeting CVE-2018-0171, a vulnerability that was patched at the time; however, if unpatched, it could allow a remote attacker to trigger a denial-of-service attack or run code on a vulnerable device.
According to Talos, the threat actor has been operating for about 10 years in a long-term campaign to establish persistence on compromised networks in an effort to gather information from targets of “strategic interest to the Russian government”.
“For years, Static Tundra has been compromising Cisco devices by exploiting a previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software that has been left unpatched, often after those devices are end-of-life,” Cisco said in a 20 August blog post.
“We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government. This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.”
Static Tundra’s victims include targets in Ukraine and its allies, in countries ranging from the US to Asia, Africa, and Europe, and in sectors such as manufacturing, higher education, and telecommunications. The group’s activity surged since Russia’s illegal invasion of Ukraine, and has remained high ever since.
Network defenders can learn more about Static Tundra’s tactics, techniques and procedures – and how to defend against it – here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
