Particle.news
Download on the App Store
16 ARTICLES
·
yesterday

FBI and Cisco Warn Russian FSB Unit Is Exploiting 2018 Cisco Flaw in Active Spy Campaign

Officials report mass theft of device configurations from unpatched or end-of-life gear, urging immediate patching, Smart Install shutdown, or replacement.

A view shows the Russian flag on the facade of a historic building alongside the American flag on the facade of the U.S. Embassy in Moscow, Russia March 18, 2025. REUTERS/Yulia Morozova/File photo
russian flag
Image
Russian APT

Overview

  • Over the past year, the FBI detected the collection of configuration files from thousands of networking devices tied to U.S. critical infrastructure entities.
  • Intrusions leverage CVE-2018-0171 in Cisco Smart Install to enable code execution or device reloads, frequently alongside legacy SNMP on outdated hardware.
  • Cisco Talos attributes the activity to Static Tundra, linked to the FSB’s Center 16, with past use of custom implants such as the SYNful Knock router malware.
  • Targets span telecommunications, higher education, and manufacturing across North America, Europe, Asia, and Africa, with escalated operations against Ukraine since 2022.
  • Researchers detail automated internet scanning, config tampering for persistence, and exfiltration via TFTP/FTP and GRE tunnels, warning that other state actors likely run similar operations.