Russian state cyber group Static Tundra exploiting Cisco devices, FBI warns

A Russian cyber-espionage group is increasingly targeting unpatched Cisco networking devices through a vulnerability discovered in 2018, according to the FBI.

Advisories released on Wednesday by both the FBI and Cisco Talos warned that the Russian Federal Security Service's (FSB) Center 16 is exploiting CVE-2018-0171 in devices that have reached end-of-life status to breach organizations in the telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe.

Cisco Talos said the group behind the campaign — which is known as Static Tundra, Berserk Bear or Dragonfly by security experts — has spent years compromising Cisco devices by exploiting the vulnerability in the Smart Install feature of Cisco IOS and CISCO IOS XE software that has been left unpatched, often after those devices are end-of-life.

Many of the victims, according to Cisco Talos, are selected “based on their strategic interest to the Russian government.” Some of them are based in Ukraine. Cisco Talos warned that the Russian group will likely continue to target Ukraine and its allies as their strategic interests shift. 

“One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then,” they said. 

“Static Tundra was observed compromising Ukrainian organizations in multiple verticals, as opposed to previously more limited, selective compromises typically being associated with this threat actor.”

The FBI said officials have seen over the past year the group increasing its collection of “configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors.” 

On some of the devices, the hackers have modified the configuration files to enable further access to victim systems. They then conduct reconnaissance operations — many of which center on “protocols and applications commonly associated with industrial control systems.”

The FBI echoed Cisco’s assessment that Status Tundra has targeted similar systems for more than a decade and has developed customized tools to attack Cisco devices, including a strain of malware known as SYNful Knock. 

Cisco Talos has published a script that can be used to scan for and detect the SYNful Knock implant.

Last week, Norway’s police security service (PST) said it suspects pro-Russian hackers sabotaged a dam in the country’s southwest in April — breaching the dam’s control system, opening valves for four hours and sending large amounts of water gushing into the Riselva River until operators regained control. 

The long game

According to Cisco Talos, Static Tundra’s primary goal is to steal data and establish persistent access to systems. 

The group is known for its ability to pivot further into a victim’s network and compromise additional network devices, demonstrating a longstanding ability to “maintain access in target environments for multiple years without being detected.”

“We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government,” Cisco Talos experts said. 

“This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.”

The researchers added that Static Tundra likely uses services like Shodan and Censys to find victims. 

In 2021, the U.S. Justice Department indicted four Russian nationals accused of being part of Static Tundra for allegedly leading a widespread hacking campaign against energy companies around the world.

The men specifically targeted an array of industrial technology systems. From 2012 to 2014, they allegedly compromised several industrial control system manufacturers and software providers before hiding the “Havex” malware inside networks. 

The DOJ said that between 2014 and 2017 the group went after “specific energy sector entities and individuals and engineers who worked with [industrial] systems.” These attacks targeted more than 3,300 users at some 500 U.S. and international companies and entities, as well as government agencies like the Nuclear Regulatory Commission. 

The group was successful in compromising the business systems of the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas, through spearphishing. They also found success using "watering hole" attacks, which captured the login credentials of energy sector engineers through compromised websites. 

Overall, their campaigns are known to have targeted people in more than 136 countries. 

Cisco Talos noted that it is not just Russian actors exploiting the bug but that other state-sponsored groups are “likely conducting similar network device compromise campaigns.” 

They urged customers to apply the patch for the vulnerability, disable Smart Install or reach out to them for assistance.