Russian Espionage Group Static Tundra Targets Legacy Cisco Flaw

Russian Espionage Group Static Tundra Targets Legacy Cisco Flaw

A seven-year-old vulnerability affecting end-of-life Cisco network devices has been exploited by a Russian state-sponsored cyber espionage group known as Static Tundra. According to Cisco Talos, the group has been observed compromising Cisco devices for several years, leveraging the previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171) that has been left unpatched, often after those devices have reached their end-of-life date.

The FBI and Cisco Talos issued separate warnings about the campaign on August 20, 2025. The warning from Cisco Talos stated that "Threat actors will continue to abuse devices which remain unpatched and have Smart Install enabled." Customers have been urged to apply the patch for CVE-2018-0171 or to disable Smart Install if patching is not an option.

The vulnerability, which was first issued in 2018, could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. When exploited, this bug poses a significant threat to organizations that rely heavily on Cisco network devices.

Victims of Strategic Interest to Russia

The FBI noted that it had observed Static Tundra collecting configuration files on thousands of networking devices associated with US entities across critical infrastructure sectors. Cisco assessed that the primary targets of Static Tundra include organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa, and Europe.

Victims are typically selected based on their strategic interest to the Russian government. Cisco Talos also noted that some victims are based in Ukraine. The firm believes that Static Tundra will continue to focus on organizations of political interest in Ukraine and among its allies in the future.

A Established Threat Group

Static Tundra, likely a subgroup of Energetic Bear/Berserk Bear/Dragonfly, is a well-established threat group that has operated for over a decade. The group has been attributed to the Russian Federal Security Service's (FSB) Center 16.

The FBI noted that since 2015, this unit has compromised networking devices globally, particularly devices accepting legacy unencrypted protocols like SMI and Simple Network Management Protocol (SNMP) versions one and two. This unit has also deployed custom tools to certain Cisco devices, such as the malware publicly identified as SYNful Knock in 2015.

Operational Objectives

Cisco has assessed that the group has two primary operational objectives. One is to compromise network devices to gather sensitive device configuration information that can be leveraged to support future operations.

The second objective is to establish persistent access to network environments to support long-term espionage. The analysis by Cisco noted that because of the large global presence of Cisco network infrastructure and the potential access it affords, the group focuses heavily on the exploitation of these devices and possibly also the development of tools to interact with and persist on these devices.

Stealthy Tooling

Static Tundra utilizes bespoke tooling that prioritizes persistence and stealth to achieve its objectives. Among this tooling is a bespoke tool that allows Static Tundra to automate the exploitation of CVE-2018-0171.