A Russian state-sponsored cyber espionage group, known as Static Tundra, has been actively exploiting an old, patched vulnerability in Cisco IOS and Cisco IOS XE software. The vulnerability, identified as CVE-2018-0171 and carrying a critical CVSS score of 9.8, affects the Smart Install feature of the software. Although the flaw was disclosed and patched seven years ago, many organizations, particularly those with end-of-life devices, remain vulnerable. According to a report by Cisco Talos and a concurrent advisory from the FBI, the group is using this flaw to establish persistent access and conduct long-term intelligence-gathering operations against a wide range of global targets.
Static Tundra’s activities are highly targeted, focusing on organizations in the telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. The selection of victims is based on their strategic interest to Russia, with a notable increase in attacks against Ukrainian and allied entities since the 2022 invasion. The primary objective of the campaign is to compromise and exfiltrate device configuration information, which can later be used for future operations. The group’s adaptability is evident in its ability to shift its operational focus in alignment with Russia’s changing strategic priorities.
Exploitation Techniques and Tools
Upon gaining initial access, Static Tundra employs a variety of sophisticated techniques to burrow deeper into the victim’s network. They often leverage the Simple Network Management Protocol (SNMP) to modify device configuration files, thereby creating additional backdoors and enabling unauthorized access. A key element of their toolkit is SYNful Knock, a custom router implant first identified in 2015. This malware is designed to modify a router’s firmware, providing a stealthy and persistent foothold that can survive a device reboot. The group also uses Generic Routing Encapsulation (GRE) tunnels to exfiltrate harvested data, such as NetFlow traffic, to their own infrastructure.
The exploitation of this Cisco vulnerability isn’t limited to Static Tundra. The report notes that the China-aligned cyber-espionage group Salt Typhoon (also known as Operator Panda) has also weaponized this same flaw in attacks against U.S. telecommunication providers. This highlights a trend where state-sponsored actors are capitalizing on unpatched and legacy infrastructure to conduct their operations. Static Tundra itself is believed to be a sub-cluster of a larger group with multiple aliases, including Berserk Bear and Energetic Bear, which has been operational for over a decade and is linked to the Federal Security Service’s (FSB) Center 16 unit.
Mitigation and Defense
In light of the ongoing threats, Cisco has reissued its warning, urging customers to apply the patch for CVE-2018-0171 immediately. For organizations that cannot patch their devices, the recommendation is to disable the Smart Install feature to eliminate the attack vector. Given that the threat actors likely use public scanning services like Shodan and Censys to identify vulnerable systems, it’s crucial for organizations to take proactive steps to secure their network infrastructure, especially end-of-life devices. This incident serves as a stark reminder of the importance of maintaining an updated and secure network posture to defend against persistent and resourceful adversaries.
Reference:
