This post is also available in:
עברית (Hebrew)
A Russian state-linked cyber espionage group has been found actively exploiting a known vulnerability in Cisco networking equipment, despite a patch being available for several years. The exploitation effort is part of a wider campaign believed to be focused on intelligence gathering across U.S. and allied infrastructure.
The flaw, tracked as CVE-2018-0171, affects the Smart Install protocol in Cisco IOS and IOS XE software. It allows unauthenticated attackers to remotely execute code or trigger denial-of-service conditions on vulnerable devices. Though Cisco issued a fix in 2018, devices that remain unpatched or have the Smart Install feature enabled continue to be exposed.
The actor behind the current activity, identified as Static Tundra, has reportedly been targeting systems based on their relevance to Russian strategic interests—especially in Ukraine and allied nations. Cisco Talos, the company’s threat intelligence unit, reports that the group’s tactics have evolved in line with shifts in Russia’s geopolitical priorities.
After breaching initial targets, the attackers move laterally across the network, collecting configuration files from routers and switches and creating backdoors for long-term access. According to Cisco Talos, thousands of U.S.-based networking devices in critical infrastructure sectors may have already been compromised.
The FBI has corroborated these findings, warning that actors affiliated with Russia’s Federal Security Service (FSB) have been exploiting both outdated hardware and unpatched vulnerabilities like CVE-2018-0171. They also noted the use of Simple Network Management Protocol (SNMP) to gather information from targeted environments.
The attackers have reportedly modified configuration files to maintain persistent, unauthorized access to certain systems. The activity suggests a particular interest in industrial control environments, which often rely on older protocols and hardware.
Static Tundra is believed to be a sub-group of Energetic Bear, a long-observed threat actor linked to the FSB’s Center 16 unit. This assessment aligns with a 2022 indictment by the U.S. Department of Justice.
Cisco recommends that any organization unable to apply the relevant patches should disable Smart Install entirely. Maintaining up-to-date software and deactivating unused services remain key steps in limiting exposure to such state-sponsored campaigns.
