Russian government-linked hackers tied to the FSB Center 16 (aliases Static Tundra, Berserk Bear, Energetic Bear, Dragonfly) exploit a seven-year-old Cisco Smart Install vulnerability (CVE-2018-0171) and SNMP to compromise networking devices. The campaign targets telecommunications, higher education, manufacturing and other critical infrastructure organizations across North America, Asia, Africa and Europe. The group has collected configuration files from thousands of devices, sometimes modifying those configurations to enable unauthorized access and persistent reconnaissance. Harvested configurations reveal interest in industrial control system protocols and are retained for later strategic use aligned with Russian government objectives.
"For years, Static Tundra has been compromising Cisco devices by exploiting a previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171) that has been left unpatched, often after those devices are end-of-life," said Cisco Talos researchers Sara McBroom and Brandon White in an .
"We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government. This is demonstrated by Static Tundra's adaptation and shifts in operational focus as Russia's priorities have changed over time."
"The attackers are mainly targeting organizations in the telecommunications, higher education and manufacturing sectors, with known victims in a number of geographic regions, including North America, Asia, Africa and Europe."
Collection
[
|
...
]