Russian Cyber Attacker 'Static Tundra' Exploits Old Cisco Vulnerability in Global Spy Campaign

The Federal Bureau of Investigation (FBI) has sounded alarm bells for the international community about a Russian government-backed hacking group called Static Tundra spying on organisations worldwide for over 10 years. They are part of Russia’s intelligence services - FSB – Center 16. In an advisory issued, the FBI has cautioned members of both public and private sector organisations to take necessary actions to protect their Cisco devices from these attackers. 

The FSB Center 16 unit conducting this activity is known to cybersecurity professionals by several names like “Berserk Bear” and “Dragonfly.” This espionage group breaks into network devices using a seven-year-old bug called CVE-2018-0171 in Cisco's Smart Install feature. While the company had patched this vulnerability years ago, many companies still haven’t updated their devices or are still using outdated hardware- putting them at risk of being easy targets.

The primary targets of Static Tundra include organisations like telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe. According to Cisco Talos researchers, the victims are selected by this group based on their strategic interest to the Russian government.

“For years, Static Tundra has been compromising Cisco devices by exploiting a previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171) that has been left unpatched, often after those devices are end-of-life. We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government. This is demonstrated by Static Tundra's adaptation and shifts in operational focus as Russia's priorities have changed over time,” wrote Cisco researchers Sara McBroom and Brandon White in a blog post.

Static Tundra uses sneaky tools to secretly stay inside computer networks for a long time. This includes an old hacking trick called SYNful Knock and special tools they created themselves. With these advanced tools, they can steal sensitive data, monitor communications, or even sabotage networks. They look for outdated or unpatched network devices that either not updated or no longer supported. These hackers break into these devices and move deeper into the network to hack more devices. Once inside, they set up ways to remain hidden and spy on critical information for years without being noticed. 

The researchers warn that old vulnerabilities, if not patched, can pose serious risks. It is advisable to update your Cisco devices to fix CVE-2018-0171, and if you can't update, then turn off Smart Install. 

Read More: Google to Pay $30 Million Settlement Over YouTube’s Illegal Data Collect