Static Tundra Cisco device exploitation campaign
Campaign
Summary
Hide ▲
Show ▼
Static Tundra's ongoing exploitation of CVE-2018-0171 in unpatched Cisco IOS/IOS XE devices is giving the group durable access to enterprise and critical infrastructure networks in the US and abroad. Over the past year, the operation has collected configuration files from thousands of devices and, on some systems, changed settings to create unauthorized access. Once inside, the operators have used stolen SNMP credentials, enabled Telnet, and pivoted deeper into networks to reach systems used in industrial environments. The campaign is tied to FSB Center 16 and spans sectors including manufacturing, telecommunications, and higher education.
Related Happenings
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
First: 18.02.2026 12:32
Last: 18.02.2026 12:32
Sources 1
About this happening:
**BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware ActivityAbout this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
UAT-8837 campaign targeting North American critical infrastructure for initial access
Campaign
First: 16.01.2026 09:18
Last: 16.01.2026 09:18
Sources 1
About this happening:
**UAT-8837** is a **China-nexus** campaign targeting **North American critical infrastructure** for **initial access**, with activity reported since **at least 2025**. The actor g...
UAT-8837 campaign targeting North American critical infrastructure for initial access
CampaignAbout this happening: **UAT-8837** is a **China-nexus** campaign targeting **North American critical infrastructure** for **initial access**, with activity reported since **at least 2025**. The actor g...
Cisco SSL VPN and GlobalProtect credential-probing campaign
Campaign
First: 18.12.2025 06:10
Last: 18.12.2025 06:10
Sources 1
About this happening:
A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...
Cisco SSL VPN and GlobalProtect credential-probing campaign
CampaignAbout this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...
UAT-9686 Cisco AsyncOS exploitation and persistence campaign
Campaign
First: 17.12.2025 20:45
Last: 17.12.2025 20:45
Sources 1
About this happening:
The **UAT-9686** campaign is actively exploiting **CVE-2025-20393** on **Cisco AsyncOS** email appliances, giving attackers **root command execution** and a foothold for persisten...
UAT-9686 Cisco AsyncOS exploitation and persistence campaign
CampaignAbout this happening: The **UAT-9686** campaign is actively exploiting **CVE-2025-20393** on **Cisco AsyncOS** email appliances, giving attackers **root command execution** and a foothold for persisten...
FCC Barix radio equipment hardening notice
Advisory/Mitigation
First: 27.11.2025 18:45
Last: 27.11.2025 18:45
Sources 1
About this happening:
The **FCC** urged **broadcasters using Barix network audio devices** to harden exposed radio transmission paths after hijacking incidents enabled **bogus emergency tones** and off...
FCC Barix radio equipment hardening notice
Advisory/MitigationAbout this happening: The **FCC** urged **broadcasters using Barix network audio devices** to harden exposed radio transmission paths after hijacking incidents enabled **bogus emergency tones** and off...
Timeline
-
20.08.2025 22:39 1 articles · 9mo ago
Static Tundra exploitation warning
Initial DisclosureThe FBI and Cisco Talos warned that Static Tundra, linked to Russia's FSB Center 16, is exploiting CVE-2018-0171 in unpatched, end-of-life Cisco IOS and Cisco IOS XE devices to target enterprise and critical infrastructure networks in the US and abroad. Over the past year, the group has collected configuration files from thousands of networking devices used by US critical infrastructure organizations, changed settings on some systems to gain unauthorized access, and pivoted deeper into networks to inspect industrial protocols and applications. Cisco said affected organizations should install the patch or disable Smart Install, and that end-of-life devices may need additional protections.
Show sources
- FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw — www.darkreading.com — 20.08.2025 22:39