FBI and Cisco warn Russian hackers are exploiting a 7-year-old Cisco Smart Install vulnerability on outdated routers and switches worldwide.
Thousands of outdated Cisco devices that no longer receive security updates are now being exploited in a cyber espionage campaign, according to joint warnings from the FBI and Cisco Talos.
A Russian state-sponsored group known as Static Tundra, also tracked as Dragonfly, Energetic Bear and Berserk Bear, is taking advantage of a seven-year-old vulnerability that many organizations never patched.
The flaw, CVE-2018-0171, affects Cisco’s Smart Install feature and allows attackers to execute code or crash a device. Cisco addressed it back in 2018, but many systems remain unprotected either because they were never updated or have reached end-of-life (EOL) and no longer receive patches. Those devices, widely used in telecommunications, manufacturing and higher education, have become an easy entry point for one of Russia’s most persistent intelligence units.
Back in April 2018, Hackread.com reported that attackers exploited CVE-2018-0171 to target Cisco switches in data centers in Iran and Russia. By abusing the Smart Install feature, they hijacked the devices and replaced the IOS image with one displaying the US flag.
Static Tundra is linked to Russia’s Federal Security Service (FSB) Center 16 and has been active for more than a decade. Researchers say the group has developed automation tools to scan the internet, often using services like Shodan and Censys, to identify targets still running Smart Install.
Once breached, they pull device configurations that often contain administrator credentials and details about wider network infrastructure, providing a launchpad for deeper compromises.
The FBI says it has already seen configuration data exfiltrated from thousands of US. devices across critical infrastructure sectors. In some cases, the attackers changed device settings to keep their access to the networks, showing particular interest in systems that help run industrial equipment and operations.
Static Tundra has a history of deploying SYNful Knock, a malicious implant for Cisco routers, first documented in 2015. This implant survives reboots and allows remote access through specially developed packets. In addition, the group abuses insecure SNMP community strings, sometimes even default ones like “public,” to extract more data or push new commands onto devices.
Cisco Talos researchers describe the operation as “highly sophisticated,” with evidence that compromised devices remain under the attackers’ control for years. They warn that Russia is not the only country running such operations, meaning any organization with unpatched or outdated networking gear could be at risk from multiple state actors.
Expert Comment
“This FBI Alert underscores the importance of both maintaining a current inventory (knowing what’s available to attackers), and how important continued vigilance of patching currency and configuration management remains until the device is taken offline,” said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity.
“The impacted CVE (CVE-2018-0171) is a high scoring RCE (remote code execution) exploit – while some environments (like manufacturing, telecommunications, and other critical infrastructure) may face production delays for planned patching cycles – seeing a seven year delay for this kind of vulnerability to be widely exploited is a bit surprising,” he added.
PATCH, PATCH, PATCH
Both the FBI and Cisco have issued strong recommendations. Organizations should immediately patch devices still running Smart Install or disable the feature if patching is no longer an option.
For older, unsupported hardware, Cisco advises planning for replacement, since these devices will never receive fixes. Cybersecurity administrators should monitor for suspicious configuration changes, unusual SNMP traffic, and unexplained TFTP activity, which are common signs of this campaign.
The FBI is also encouraging anyone who suspects their systems may have been targeted to report findings through the Internet Crime Complaint Center.
