Cybercriminals Affiliated with Russian Group Static Tundra Exploit Outdated Cisco Vulnerability

In a concerning development, a Russian state-sponsored cyber espionage group known as Static Tundra has been exploiting a seven-year-old vulnerability in Cisco network devices. This group, which is believed to be a subgroup of Energetic Bear/Berserk Bear/Dragonfly, has been operating for over a decade and has been observed compromising Cisco devices for several years.

The vulnerability, identified as CVE-2018-0171, affects end-of-life Cisco network devices. This security flaw, if exploited, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) or execute arbitrary code on an affected device. The patch for this vulnerability was first issued in 2018, but it appears that many devices have been left unpatched.

Static Tundra focuses heavily on the exploitation of Cisco network devices and possibly the development of tools to interact with and persist on these devices. One of their bespoke tools automates the exploitation of CVE-2018-0171.

The vulnerability is found in the Smart Install feature of Cisco IOS software and Cisco IOS XE software. Static Tundra has compromised networking devices globally since 2015, particularly devices using legacy unencrypted protocols like SMI and SNMP versions one and two.

The FBI and Cisco Talos issued warnings about this campaign on August 20, 2025. The FBI noted that Static Tundra has collected configuration files on thousands of networking devices associated with US entities across critical infrastructure sectors.

In response to this threat, customers have been urged to apply the patch for CVE-2018-0171 or to disable Smart Install if patching is not an option. It's important to note that Smart Install is a feature that allows devices to be configured automatically during the initial setup process, making it a prime target for exploitation.

Static Tundra's operations against entities in Ukraine escalated at the start of the Russia-Ukraine war and have remained high since then. The group has primarily targeted Ukrainian government institutions, military organizations, and critical infrastructure during and after the Ukraine conflict.

Victims of Static Tundra are typically selected based on their strategic interest to the Russian government, with primary targets in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Some victims are also based in Ukraine.

Static Tundra uses bespoke tooling that prioritizes persistence and stealth. They have deployed custom tools to certain Cisco devices, such as the malware SYNful Knock. The Russian Federal Security Service's (FSB) Center 16 is associated with Static Tundra.

It's crucial for network administrators to be vigilant and ensure that their devices are up-to-date and properly configured to mitigate the risks posed by groups like Static Tundra. By taking proactive measures, organisations can protect themselves from potential cyber attacks and safeguard their critical infrastructure.

Cybercriminals Affiliated with Russian Group Static Tundra Exploit Outdated Cisco Vulnerability