Static Tundra Cisco IOS/IOS XE persistent-access espionage campaign
Campaign
Summary
Hide ▲
Show ▼
A Static Tundra espionage campaign is actively exploiting CVE-2018-0171 in Cisco IOS and Cisco IOS XE to gain persistent access to telecommunications, higher education, manufacturing, and critical-infrastructure-linked networks. The activity spans North America, Asia, Africa, and Europe, and victims are selected for their strategic value to Russian interests. Once inside, operators collect device configuration data, alter settings to preserve access, and build traffic-capture paths for follow-on use. The result is a long-lived foothold that can support reconnaissance and future intelligence collection.
Related Happenings
Pro-Russia hacktivist OT intrusion campaign against US critical infrastructure
Campaign
First: 10.12.2025 18:00
Last: 10.12.2025 18:00
Sources 1
About this happening:
A coordinated **pro-Russia hacktivist** campaign is exploiting exposed **virtual network computing** connections and weak passwords to breach **operational technology (OT)** syste...
Pro-Russia hacktivist OT intrusion campaign against US critical infrastructure
CampaignAbout this happening: A coordinated **pro-Russia hacktivist** campaign is exploiting exposed **virtual network computing** connections and weak passwords to breach **operational technology (OT)** syste...
Pro-Russia hacktivist groups campaign expands across multiple victims
Campaign
First: 09.12.2025 14:00
Last: 09.12.2025 14:00
Sources 1
About this happening:
A sustained **pro-Russia hacktivist** campaign is targeting **U.S. and global critical infrastructure**, raising disruption risk across **OT** and **SCADA** environments. The oper...
Pro-Russia hacktivist groups campaign expands across multiple victims
CampaignAbout this happening: A sustained **pro-Russia hacktivist** campaign is targeting **U.S. and global critical infrastructure**, raising disruption risk across **OT** and **SCADA** environments. The oper...
Nimbus Manticore Western Europe critical infrastructure targeting campaign
Campaign
First: 23.09.2025 00:00
Last: 23.09.2025 00:00
Sources 1
About this happening:
The **Nimbus Manticore** campaign now targets **critical infrastructure** in **Western Europe**, expanding the group's reach beyond the Middle East and increasing the risk of cred...
Nimbus Manticore Western Europe critical infrastructure targeting campaign
CampaignAbout this happening: The **Nimbus Manticore** campaign now targets **critical infrastructure** in **Western Europe**, expanding the group's reach beyond the Middle East and increasing the risk of cred...
Salt Typhoon persistent espionage campaign targeting global networks
Campaign
First: 28.08.2025 17:04
Last: 28.08.2025 17:04
Sources 1
About this happening:
**Salt Typhoon** remains a **persistent espionage campaign** with **multi-year infrastructure** now traced back to **May 2020**. A new analysis found **45 previously unreported do...
Salt Typhoon persistent espionage campaign targeting global networks
CampaignAbout this happening: **Salt Typhoon** remains a **persistent espionage campaign** with **multi-year infrastructure** now traced back to **May 2020**. A new analysis found **45 previously unreported do...
Static Tundra Cisco CVE-2018-0171 active exploitation wave
Exploitation Wave
First: 21.08.2025 15:04
Last: 21.08.2025 15:04
Sources 1
How related:
Cisco Talos, the company's cybersecurity division, said that the Russian threat group it tracks as Static Tundra has been aggressively exploiting CVE-2018-0171 in this campaign to compromise unpatched devices belonging to telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe.
About this happening:
**Static Tundra** is an ongoing **exploitation wave** against **CVE-2018-0171** in **end-of-life Cisco networking devices**, using the weakness to reach **U.S. critical infrastruc...
Static Tundra Cisco CVE-2018-0171 active exploitation wave
Exploitation WaveHow related: Cisco Talos, the company's cybersecurity division, said that the Russian threat group it tracks as Static Tundra has been aggressively exploiting CVE-2018-0171 in this campaign to compromise unpatched devices belonging to telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe.
About this happening: **Static Tundra** is an ongoing **exploitation wave** against **CVE-2018-0171** in **end-of-life Cisco networking devices**, using the weakness to reach **U.S. critical infrastruc...
Timeline
-
20.08.2025 18:59 1 articles · 9mo ago
Static Tundra exploits Cisco IOS and IOS XE devices
Initial DisclosureCisco Talos and the FBI warned that Static Tundra, a Russian FSB-linked cyber-espionage group, is actively exploiting CVE-2018-0171 in Cisco IOS and Cisco IOS XE on unpatched and often end-of-life networking devices to establish persistent access, collect configuration files, modify TACACS+ settings, deploy SYNful Knock, and exfiltrate NetFlow data from telecommunications, higher education, manufacturing, and other critical infrastructure-linked organizations across North America, Asia, Africa and Europe. Cisco also updated its advisory for CVE-2018-0171 and urged customers to apply the patch or disable Smart Install if patching is not an option.
Show sources
- FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage — thehackernews.com — 20.08.2025 18:59