A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks.
Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe. Prospective victims are chosen based on their “strategic interest” to Russia, it added, with recent efforts directed against Ukraine and its allies following the onset of the Russo-Ukrainian war in 2022.
The vulnerability in question is CVE-2018-0171 (CVSS score: 9.8), a critical flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition or execute arbitrary code.
It’s worth noting that the security defect has also been likely weaponized by the China-aligned Salt Typhoon (aka Operator Panda) actors as part of attacks targeting U.S. telecommunication providers in late 2024.
Static Tundra, per Talos, is assessed to be linked to the Federal Security Service’s (FSB) Center 16 unit and operational for over a decade, with a focus on long-term intelligence gathering operations. It’s believed to be a sub-cluster of another group that’s tracked as Berserk Bear, Crouching Yeti, Dragonfly, Energetic Bear, and Havex.
The U.S. Federal Bureau of Investigation (FBI), in a concurrent advisory, said it has observed FSB cyber actors “exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.”
In these attacks, the threat actors have been found collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors. The activity is also characterized by the attackers modifying configuration files on susceptible devices to facilitate unauthorized access.
The foothold is then abused to conduct reconnaissance within the victim networks, while simultaneously deploying custom tools like SYNful Knock, a router implant first reported by Mandiant in September 2015.
“SYNful Knock is a stealthy modification of the router’s firmware image that can be used to maintain persistence within a victim’s network,” the threat intelligence firm said at the time. “It is customizable and modular in nature and thus can be updated once implanted.”
Another noteworthy aspect of the attacks concerns the use of SNMP to send instructions to download a text file from a remote server and append it to the current running configuration so as to allow for additional means of access to the network devices. Defense evasion is achieved by modifying TACACS+ configuration on infected appliances to interfere with remote logging functions.
“Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest,” Talos researchers Sara McBroom and Brandon White said. “One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective.”
This is accomplished by setting up Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to attacker-controlled infrastructure. The adversary has also been spotted collecting and exfiltrating NetFlow data on compromised systems. The harvested data is exfiltrated via outbound TFTP or FTP connections.
Static Tundra’s activities are primarily focused on unpatched, and often end-of-life, network devices with the goal of establishing access on primary targets and facilitating secondary operations against related targets of interest. Upon gaining initial access, the threat actors burrow deeper into the environment and hack into additional network devices for long-term access and information gathering.
To mitigate the risk posed by the threat, Cisco is advising customers to apply the patch for CVE-2018-0171 or disable Smart Install if patching is not an option.
“The purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government,” Talos said. “This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.”
