FBI: Russia-linked group Static Tundra exploit old Cisco flaw for espionage
The Federal Bureau of Investigation (FBI) has issued a warning about a sophisticated cyber espionage campaign targeting organizations in the United States and globally. The threat actor behind this campaign, known as Static Tundra, is linked to the Russian Federal Security Service's (FSB) Center 16 unit and has been active for over a decade.
Static Tundra exploits a seven-year-old vulnerability (CVE-2018-0171) in Cisco IOS software's Smart Install feature, which was patched at the time of its publication. However, the FSB-linked group continues to target unpatched and end-of-life network devices to steal configuration data and establish persistent access.
According to Talos researchers, the primary targets of Static Tundra include organizations in the telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. The victims are selected based on their strategic interest to the Russian government.
The Vulnerability: CVE-2018-0171
CVE-2018-0171 is a critical vulnerability (CVSS score of 9.8) in Cisco Smart Install that allows an unauthenticated, remote attacker to cause a reload of a vulnerable device or execute arbitrary code on an affected device.
The Threat Actor: Static Tundra
Static Tundra is a Russia-linked actor linked to the FSB's Center 16 unit. The group specializes in compromising network devices for long-term intelligence gathering operations. They have been observed collecting configuration data from thousands of U.S. critical infrastructure devices over the past year.
The Tactics, Techniques, and Procedures (TTPs) of Static Tundra
Static Tundra uses a variety of tactics, techniques, and procedures to achieve its goals. These include exploiting weak legacy protocols such as Simple Network Management Protocol (SNMP) and deploying tools like the Cisco "SYNful Knock" malware.
The SYNful Knock Malware
SYNful Knock is a modular, stealthy router firmware backdoor that ensures persistence, evades detection, and uses non-standard packets for authentication. The backdoor was first detailed in 2015 by Mandiant.
The Impact of Static Tundra's Activities
Static Tundra's activities have significant implications for organizations across the globe. By exploiting vulnerable network devices, they can gain persistent access to critical infrastructure, steal configuration data, and support long-term espionage.
The Recommended Mitigation
Cisco recommends that organizations apply security updates for CVE-2018-0171 or disable Smart Install as a temporary mitigation. The FBI also published Indicators of Compromise (IOCs) for this campaign.
It is essential for organizations to take proactive measures to protect themselves against Static Tundra's activities. By patching vulnerabilities, disabling unnecessary protocols, and implementing robust security controls, they can reduce the risk of a successful attack.