Particle.news
Download on the App Store
15 ARTICLES
·
4w ago

FBI and Cisco Warn FSB Unit Exploiting 7-Year-Old Cisco Flaw to Target U.S. Critical Infrastructure

Officials say the spies harvest configuration files to persist on unpatched or end-of-life devices.

A view shows the Russian flag on the facade of a historic building alongside the American flag on the facade of the U.S. Embassy in Moscow, Russia March 18, 2025. REUTERS/Yulia Morozova/File photo
russian flag
Image
Russian APT

Overview

  • The FBI reports collection of configuration files from thousands of networking devices tied to U.S. critical infrastructure, with some configurations altered to preserve unauthorized access.
  • Cisco Talos attributes the campaign to Static Tundra, a group linked to Russia’s FSB Center 16 and assessed as a sub-cluster of Energetic Bear.
  • The operation exploits CVE-2018-0171 in Cisco Smart Install on IOS and IOS XE, a 2018-patched flaw that allows remote code execution or device reloads on unpatched gear.
  • Victims include telecommunications, higher education and manufacturing organizations across North America, Europe, Asia and Africa, with activity against Ukrainian entities intensifying since 2022.
  • Tactics observed include abusing weak SNMP, exfiltrating via TFTP or FTP, setting GRE tunnels, modifying TACACS+ and ACLs, and deploying the SYNful Knock implant, prompting urgent guidance to patch or disable Smart Install, replace unsupported hardware and monitor published IOCs.