A Russian state-sponsored espionage group has been systematically compromising network devices worldwide for over a decade, exploiting a seven-year-old vulnerability to steal sensitive data and establish persistent access to organizations across multiple sectors, according to new research from Cisco Talos Intelligence.
The group, designated “Static Tundra” by Cisco Talos, is linked to the Russian Federal Security Service’s Center 16 unit and operates as a likely sub-cluster of the broader “Energetic Bear” threat group. The operation represents one of the most persistent network device compromise campaigns documented to date, with the group maintaining undetected access to victim systems for multiple years.
According to the researchers, the group has been leveraging CVE-2018-0171, a vulnerability in Cisco IOS software’s Smart Install feature that was patched when initially disclosed in 2018. Despite the availability of patches, the group continues to find success targeting organizations that have left devices unpatched or are running end-of-life equipment that cannot be updated.
The vulnerability allows attackers to execute arbitrary code on affected devices or trigger denial-of-service conditions.
Researchers believe the group has developed automated tooling to exploit the vulnerability at scale, likely identifying targets through publicly available network scanning data from services such as Shodan or Censys.
Once initial access is gained, the group employs sophisticated techniques to extract device configuration data, which often contains credentials and network information valuable for further compromise. The attackers use a combination of Trivial File Transfer Protocol (TFTP) servers and Simple Network Management Protocol (SNMP) tools to maintain access and collect intelligence.
The espionage campaign has affected organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Victim selection appears to align with Russia’s strategic interests, with researchers noting a significant escalation in operations against Ukrainian entities following the onset of the Russia-Ukraine conflict.
“One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then,” the Cisco Talos report states. The group expanded its targeting within Ukraine from selective, limited compromises to operations across multiple industry verticals.
The campaign exposes ongoing weaknesses in network infrastructure security, with attackers continuing to exploit a vulnerability patched in 2018. This persistence underscores widespread shortcomings in patch and device lifecycle management. The operation also illustrates the high strategic value nation-state actors place on compromising network devices, which offer access to broad organizational communications and facilitate further intrusions.
Security researchers emphasize that Static Tundra is not unique in targeting network infrastructure. The report notes that “many other state-sponsored actors also covet the access these devices afford,” indicating that similar operations are likely being conducted by multiple nation-state groups.
Cisco Talos assesses with high confidence that Static Tundra operates as a Russian state-sponsored group specializing in network device exploitation based on tactical overlaps with previously identified Russian operations and targeting patterns consistent with Russian strategic interests. The FBI has corroborated connections between Static Tundra and the broader Energetic Bear group, which was formally linked to Russia’s FSB Center 16 unit in a 2022 Department of Justice indictment.
FSB Center 16 is a unit within Russia’s Federal Security Service (FSB). The center is believed to oversee signals intelligence and cyber operations on behalf of the Russian government. Another group linked to the center known as Turla has been spotted waging its own espionage campaigns by Microsoft.
Source link
