Russian state-sponsored threat actor dubbed Static Tundra has been actively exploiting a years-old vulnerability in Cisco network devices as part of a long-running cyber espionage campaign, according to new research by Cisco Talos.
Static Tundra, believed to be linked to Russia’s Federal Security Service (FSB) Center 16 and possibly a sub-cluster of the well-known “Energetic Bear” group, has been operational for over a decade. The group focuses on compromising vulnerable network infrastructure, particularly end-of-life Cisco devices, in key industries across North America, Europe, Asia, and Africa.
The campaign exploits CVE-2018-0171, a vulnerability in Cisco’s Smart Install feature. Although a patch was issued in 2018, many devices remain unpatched or unsupported. Static Tundra uses the flaw to extract configuration data and gain persistent access to internal networks, often leveraging older, insecure SNMP configurations and deploying stealth implants like the notorious SYNful Knock firmware.
Targeted sectors include telecommunications, higher education, and manufacturing, with a particular uptick in attacks against Ukrainian entities since the onset of the Russia-Ukraine war.
Cisco Talos warns that similar techniques are likely being used by other state-sponsored actors, and urges all organizations to immediately patch CVE-2018-0171 or disable Smart Install if patching is not possible. Organizations are also advised to audit SNMP configurations, remove outdated devices from service, and monitor for unauthorized configuration changes.
Additionally, the FBI released a public warning regarding Static Tundra’s cyber espionage campaigns.