Russian FSB-linked Hackers Exploit Cisco Smart Install Vulnerability for Cyber Espionage
Summary
Hide ▲
Show ▼
Static Tundra, a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit, has been actively exploiting a seven-year-old vulnerability in Cisco IOS and IOS XE software (CVE-2018-0171) to gain persistent access to target networks. The group has been targeting organizations in telecommunications, higher education, manufacturing, and critical infrastructure sectors across multiple continents. The attacks involve collecting configuration files, deploying custom tools like SYNful Knock, and modifying TACACS+ configurations to achieve long-term access and information gathering. The FBI and Cisco Talos have issued advisories warning about the ongoing campaign, which has been active for over a year and has targeted critical infrastructure sectors in the US and abroad. The group has also increased attacks on Ukraine since the start of the war. The vulnerability allows unauthenticated, remote attackers to execute arbitrary code or trigger DoS conditions. Cisco has advised customers to apply the patch for CVE-2018-0171 or disable Smart Install to mitigate the risk. The group has also targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns.
Timeline
-
20.08.2025 18:59 3 articles · 1mo ago
FSB-linked Hackers Exploit Cisco Smart Install Vulnerability for Cyber Espionage
The group has been using custom SNMP tooling to gain persistence on compromised devices and evade detection for years. The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns. The group has also targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade.
Show sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
Information Snippets
-
Static Tundra is a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit.
First reported: 20.08.2025 18:593 sources, 3 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The group has been exploiting CVE-2018-0171, a critical vulnerability in Cisco IOS and IOS XE software.
First reported: 20.08.2025 18:593 sources, 3 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The vulnerability allows unauthenticated, remote attackers to execute arbitrary code or trigger DoS conditions.
First reported: 20.08.2025 18:593 sources, 3 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
Targeted sectors include telecommunications, higher education, and manufacturing across North America, Asia, Africa, and Europe.
First reported: 20.08.2025 18:593 sources, 3 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The attacks involve collecting configuration files, deploying custom tools like SYNful Knock, and modifying TACACS+ configurations.
First reported: 20.08.2025 18:593 sources, 3 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The group uses SNMP to send instructions to download and append configuration files, facilitating unauthorized access.
First reported: 20.08.2025 18:593 sources, 3 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
Static Tundra sets up GRE tunnels to redirect traffic of interest to attacker-controlled infrastructure.
First reported: 20.08.2025 18:592 sources, 2 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
The group exfiltrates NetFlow data via outbound TFTP or FTP connections.
First reported: 20.08.2025 18:592 sources, 2 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
Cisco has advised customers to apply the patch for CVE-2018-0171 or disable Smart Install if patching is not an option.
First reported: 20.08.2025 18:592 sources, 2 articlesShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
The campaign aims to compromise and extract device configuration information for future strategic goals.
First reported: 20.08.2025 18:591 source, 1 articleShow sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59
-
Static Tundra has been exploiting the vulnerability for over a year, targeting critical infrastructure sectors in the US and abroad.
First reported: 20.08.2025 22:391 source, 1 articleShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
The group has collected configuration files from thousands of networking devices used by US organizations.
First reported: 20.08.2025 22:391 source, 1 articleShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
Static Tundra has been targeting organizations in manufacturing, telecommunications, and higher education sectors globally.
First reported: 20.08.2025 22:391 source, 1 articleShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
The group has increased attacks on Ukraine since the start of the war.
First reported: 20.08.2025 22:391 source, 1 articleShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
Static Tundra uses stolen SNMP credentials to control compromised devices and hide their activity.
First reported: 20.08.2025 22:391 source, 1 articleShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
The group creates new local user accounts and enables remote access services like Telnet for persistent access.
First reported: 20.08.2025 22:391 source, 1 articleShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
-
Static Tundra uses a Cisco IOS firmware backdoor called SYNful Knock for long-term access.
First reported: 20.08.2025 22:392 sources, 2 articlesShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The group exploits end-of-life devices that are out of support and no longer receive security updates.
First reported: 20.08.2025 22:392 sources, 2 articlesShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
Static Tundra has been using custom tooling to automate attacks against unpatched systems and extract configuration details.
First reported: 20.08.2025 22:392 sources, 2 articlesShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The FBI and Cisco Talos have issued advisories warning about the ongoing campaign.
First reported: 20.08.2025 22:392 sources, 2 articlesShow sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The group has targeted networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade.
First reported: 21.08.2025 15:041 source, 1 articleShow sources
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The group has been using custom SNMP tooling to gain persistence on compromised devices and evade detection for years.
First reported: 21.08.2025 15:041 source, 1 articleShow sources
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
-
The threat extends beyond Russia's operations—other state-sponsored actors are likely conducting similar network device compromise campaigns.
First reported: 21.08.2025 15:041 source, 1 articleShow sources
- FBI warns of Russian hackers exploiting 7-year-old Cisco flaw — www.bleepingcomputer.com — 21.08.2025 15:04
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations
The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.
GeoServer RCE Exploit Used in Federal Agency Breach
A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.
Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment
Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.