Aug 20, 2025Ravie LakshmananCyber Espionage / Vulnerability
A Russian state-sponsored cyber espionage group referred to as Static Tundra has been noticed actively exploiting a seven-year-old safety flaw in Cisco IOS and Cisco IOS XE software program as a method to determine persistent entry to focus on networks.
Cisco Talos, which disclosed particulars of the exercise, stated the assaults single out organizations in telecommunications, larger training and manufacturing sectors throughout North America, Asia, Africa and Europe. Potential victims are chosen primarily based on their “strategic curiosity” to Russia, it added, with current efforts directed in opposition to Ukraine and its allies following the onset of the Russo-Ukrainian conflict in 2022.
The vulnerability in query is CVE-2018-0171 (CVSS rating: 9.8), a vital flaw within the Sensible Set up characteristic of Cisco IOS Software program and Cisco IOS XE software program that would permit an unauthenticated, distant attacker to set off a denial-of-service (DoS) situation or execute arbitrary code.
It is value noting that the safety defect has additionally been seemingly weaponized by the China-aligned Salt Storm (aka Operator Panda) actors as a part of assaults focusing on U.S. telecommunication suppliers in late 2024.
Static Tundra, per Talos, is assessed to be linked to the Federal Safety Service’s (FSB) Heart 16 unit and operational for over a decade, with a deal with long-term intelligence gathering operations. It is believed to be a sub-cluster of one other group that is tracked as Berserk Bear, Crouching Yeti, Dragonfly, Energetic Bear, and Havex.
The U.S. Federal Bureau of Investigation (FBI), in a concurrent advisory, stated it has noticed FSB cyber actors “exploiting Easy Community Administration Protocol (SNMP) and end-of-life networking gadgets working an unpatched vulnerability (CVE-2018-0171) in Cisco Sensible Set up (SMI) to broadly goal entities in the US and globally.”
In these assaults, the menace actors have been discovered amassing configuration recordsdata for 1000’s of networking gadgets related to U.S. entities throughout vital infrastructure sectors. The exercise can also be characterised by the attackers modifying configuration recordsdata on inclined gadgets to facilitate unauthorized entry.
The foothold is then abused to conduct reconnaissance inside the sufferer networks, whereas concurrently deploying customized instruments like SYNful Knock, a router implant first reported by Mandiant in September 2015.
“SYNful Knock is a stealthy modification of the router’s firmware picture that can be utilized to take care of persistence inside a sufferer’s community,” the menace intelligence agency stated on the time. “It’s customizable and modular in nature and thus could be up to date as soon as implanted.”
One other noteworthy facet of the assaults issues the usage of SNMP to ship directions to obtain a textual content file from a distant server and append it to the present working configuration in order to permit for added technique of entry to the community gadgets. Protection evasion is achieved by modifying TACACS+ configuration on contaminated home equipment to intrude with distant logging features.
“Static Tundra seemingly makes use of publicly-available scan knowledge from providers equivalent to Shodan or Censys to establish methods of curiosity,” Talos researchers Sara McBroom and Brandon White stated. “Considered one of Static Tundra’s major actions on goals is to seize community site visitors that may be of worth from an intelligence perspective.”
That is achieved by organising Generic Routing Encapsulation (GRE) tunnels that redirect site visitors of curiosity to attacker-controlled infrastructure. The adversary has additionally been noticed amassing and exfiltrating NetFlow knowledge on compromised methods. The harvested knowledge is exfiltrated by way of outbound TFTP or FTP connections.
Static Tundra’s actions are primarily centered on unpatched, and infrequently end-of-life, community gadgets with the purpose of building entry on major targets and facilitating secondary operations in opposition to associated targets of curiosity. Upon gaining preliminary entry, the menace actors burrow deeper into the atmosphere and hack into extra community gadgets for long-term entry and knowledge gathering.
To mitigate the danger posed by the menace, Cisco is advising clients to use the patch for CVE-2018-0171 or disable Sensible Set up if patching will not be an possibility.
“The aim of this marketing campaign is to compromise and extract gadget configuration data en masse, which might later be leveraged as wanted primarily based on then-current strategic objectives and pursuits of the Russian authorities,” Talos stated. “That is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have modified over time.”
