A Russian state-sponsored hacking group known as Static Tundra is actively exploiting a seven-year-old Cisco vulnerability (CVE-2018-0171) to gain persistent access to critical networks worldwide. Cisco Talos researchers revealed that the group is focusing on organizations in telecommunications, higher education, and manufacturing sectors across North America, Europe, Asia, and Africa, with recent campaigns aimed at Ukraine and its allies following the 2022 Russo-Ukrainian war.
The exploited bug, first disclosed in 2018, is a critical flaw (CVSS score: 9.8) in the Cisco IOS and IOS XE Smart Install feature, which could let an unauthenticated attacker trigger denial-of-service (DoS) or execute arbitrary code. Cisco has now updated its advisory, stressing that “Cisco is aware of continued exploitation activity of the vulnerability that is described in this advisory and strongly recommends that customers assess their systems and upgrade to a fixed software release as soon as possible.”
According to Talos, Static Tundra operates under Russia’s Federal Security Service (FSB) Center 16 and has been linked to long-term espionage operations for more than a decade. It is believed to be a sub-cluster of the notorious Berserk Bear/Dragonfly/Energetic Bear threat actor. The FBI also issued a joint advisory noting that Russian operatives have been “exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.”
Investigations show that Static Tundra has been harvesting configuration files from thousands of devices tied to U.S. critical infrastructure. The group modifies device settings to maintain unauthorized access, then uses implants like SYNful Knock—a stealthy router backdoor first detailed in 2015—to ensure long-term persistence.
Attackers also employ SNMP commands to download malicious text files from remote servers, altering configurations to expand access while tampering with TACACS+ logs to evade detection. To capture sensitive intelligence, Static Tundra sets up Generic Routing Encapsulation (GRE) tunnels to redirect traffic and exfiltrates NetFlow data using outbound TFTP or FTP connections.
Talos researchers emphasized that the campaign’s objective is intelligence-driven, stating, “Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest. One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective.”
Cisco has urged all customers to immediately patch vulnerable devices or disable Smart Install where updates are not feasible. Failure to do so leaves organizations exposed to ongoing exploitation campaigns aligned with Russia’s shifting geopolitical interests.
...){kind=link}