Overview

• Cisco Talos identifies Static Tundra as a Russian state-sponsored cluster tied to FSB Center 16 and overlapping with the Energetic Bear ecosystem.
• The campaign targets telecommunications, higher education and manufacturing across North America, Europe, Asia and Africa, with elevated focus on Ukraine since 2022.
• A concurrent FBI advisory reports widespread collection of router configuration files, unauthorized config changes and interference with TACACS+ logging.
• Operators exploit CVE-2018-0171 to harvest credentials and intelligence, using SNMP and TFTP/FTP, GRE tunnels to siphon traffic, and implants such as SYNful Knock for persistence.
• Researchers say automated tooling and data from services like Shodan and Censys enable large-scale victim discovery, while Cisco urges patching or disabling Smart Install on affected devices.