Particle.news
Download on the App Store
11 ARTICLES
·
2d ago

FBI and Cisco Warn FSB Unit Is Exploiting 2018 Cisco Flaw for Ongoing Espionage

A joint Cisco TalosFBI disclosure says Static Tundra is harvesting configuration data from thousands of legacy devices across critical sectors.

A view shows the Russian flag on the facade of a historic building alongside the American flag on the facade of the U.S. Embassy in Moscow, Russia March 18, 2025. REUTERS/Yulia Morozova/File photo
Russian APT
Image
Image

Overview

  • The campaign leverages CVE-2018-0171 in Cisco Smart Install on IOS and IOS XE to access unpatched or end-of-life routers and switches.
  • The FBI observed configuration files taken from thousands of U.S.-associated networking devices in critical infrastructure, with some configs modified to preserve unauthorized access.
  • Cisco Talos attributes the activity to Russia’s FSB Center 16, tracking the cluster as Static Tundra and linking it to the Energetic Bear lineage active for more than a decade.
  • Targets include telecommunications, higher education and manufacturing across North America, Europe, Asia and Africa, with operations intensifying against Ukrainian entities since 2022.
  • Researchers detail tradecraft using weak SNMP, TFTP/FTP exfiltration, GRE tunnels, NetFlow collection, and implants such as SYNful Knock, and they urge patching or disabling Smart Install, replacing unsupported hardware and monitoring for anomalous device changes.