FSB-Linked APT Targets Unpatched and End-of-Life Network Devices

Published Date: August 22, 2025
Category: ShadowOpsIntel
Share:

Static Tundra is a Russian state-sponsored espionage group, that has been exploiting unpatched and end-of-life Cisco network devices for over a decade. By leveraging the known vulnerability CVE-2018-0171 in Cisco IOS Smart Install, the group has maintained long-term persistence within critical organizations worldwide. The campaign demonstrates the high risk posed by legacy infrastructure that remains unpatched or unsupported.

Severity Level: High

Attribution & Actor Background

  • Threat Actor: Static Tundra (suspected sub-cluster of Energetic Bear / BERSERK BEAR).
  • Affiliation: Russian Federal Security Service (FSB) – Center 16 unit.
  • Motivation: Strategic intelligence collection in alignment with Russian state interests.
  • Operational History: Active for over a decade; consistent focus on network device exploitation.

Exploited Vulnerability

  • CVE-2018-0171: Cisco IOS Smart Install Remote Code Execution / Denial of Service
  • Originally patched in 2018, but still widely exploitable due to:
    • Legacy devices reaching end-of-life (no patch support).
    • Organizations failing to apply available patches.

Threat Details

  1. Initial Access & Infection Vectors
    • Smart Install Exploitation: Remote, unauthenticated exploitation of Cisco IOS devices.
    • SNMP Abuse: Leveraging weak or default community strings (“public”, “anonymous”) with RW access.
    • Configuration Hijacking: Enabling TFTP servers to exfiltrate startup configs.
  2. Persistence:
    • SYNful Knock implant (modular, stealthy, survives reboots).
    • Creation of privileged local accounts.
    • Additional SNMP community strings for ongoing access.
  3. Defense Evasion:
    • Modifying TACACS+ and ACLs to hide attacker infrastructure.
    • Using spoofed SNMP traffic to mask origin.
  4. Discovery & Lateral Movement:
    • Leveraging “show cdp neighbors” and passive discovery instead of noisy scans.
    • Pivoting from compromised network edge devices into internal environments.
  5. Collection & Exfiltration:
    • Exfiltration of device configs via TFTP/FTP.
    • Establishment of GRE tunnels to redirect live traffic to attacker-controlled servers.
    • Collection of NetFlow data for further intelligence.

Targeting & Victimology

  • Primary Sectors: Telecommunications, Higher Education, Manufacturing.
  • Regions: North America, Europe, Asia, Africa, with elevated focus on Ukraine and allied nations since 2022.
  • Selection Criteria: Organizations of strategic geopolitical interest to Russia.

Recommendations

  1. Immediately apply the Cisco patch for CVE-2018-0171 on all affected devices.
  2. Disable Smart Install on all devices where patching is not feasible.
  3. Replace or decommission end-of-life (EoL) devices that no longer receive vendor patches.
  4. Establish an EoL replacement policy to avoid reliance on unsupported hardware.
  5. Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
  6. Utilize Type 8 passwords for local account credential configuration.
  7. Utilize Type 6 for TACACS+ key configuration.
  8. Talos recommends taking the following steps to identify suspicious activity that may be related to this campaign:
    • Conduct comprehensive configuration management (including auditing), in line with best practices.
    • Conduct comprehensive authentication, authorization and command issuance monitoring.
    • Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
    • Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
    • Where possible, develop NetFlow visibility to identify unusual volumetric changes.
    • Look for non-empty or unusually large .bash_history files.
  9. Use Cisco’s SYNful Knock scanner to check for firmware implants.
  10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/74e4de6707ee0996d859ef06613941d04253dd496e05d3398f71082a2825425c/iocs

Source:

  • https://blog.talosintelligence.com/static-tundra/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.