Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure
Summary
Hide ▲
Show ▼
Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.
Timeline
-
04.09.2025 15:25 1 articles · 25d ago
FSB Officers Target Energy Sector in Dragonfly Campaign
The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three FSB officers allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.
Show sources
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
03.09.2025 22:01 2 articles · 26d ago
U.S. Offers $10 Million Bounty for Information on Russian FSB Hackers
The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. The three FSB officers were indicted in the US in August 2021 with charges of computer fraud and abuse, wire fraud, and aggravated identity theft.
Show sources
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
25.08.2025 15:17 3 articles · 1mo ago
Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure
The attacks have targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, were indicted in the US in August 2021 with charges of computer fraud and abuse, wire fraud, and aggravated identity theft.
Show sources
- ⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More — thehackernews.com — 25.08.2025 15:17
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
Information Snippets
-
Static Tundra has been exploiting CVE-2018-0171 in Cisco networking devices since at least August 2024.
First reported: 25.08.2025 15:172 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More — thehackernews.com — 25.08.2025 15:17
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
-
The attacks have targeted organizations in the manufacturing, telecommunications, and higher education sectors.
First reported: 25.08.2025 15:172 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More — thehackernews.com — 25.08.2025 15:17
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
-
The attackers use stolen SNMP credentials to control compromised devices, allowing them to run commands, change settings, and steal configurations.
First reported: 25.08.2025 15:172 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More — thehackernews.com — 25.08.2025 15:17
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
-
The attackers create new local user accounts and enable remote access services like Telnet to maintain access.
First reported: 25.08.2025 15:172 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More — thehackernews.com — 25.08.2025 15:17
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
-
The attacks have compromised thousands of devices, highlighting the persistent threat of unpatched vulnerabilities.
First reported: 25.08.2025 15:172 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More — thehackernews.com — 25.08.2025 15:17
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
-
The U.S. Department of State is offering a reward of up to $10 million for information on three Russian FSB officers involved in cyberattacks targeting U.S. critical infrastructure organizations.
First reported: 03.09.2025 22:012 sources, 2 articlesShow sources
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
The three individuals, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are part of the FSB's Center 16 or Military Unit 71330, which is tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, and Koala Team.
First reported: 03.09.2025 22:012 sources, 2 articlesShow sources
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
The FSB officers targeted more than 500 foreign energy companies in 135 other countries.
First reported: 03.09.2025 22:012 sources, 2 articlesShow sources
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
The FBI warned in August that the hackers exploited the CVE-2018-0171 vulnerability in end-of-life Cisco networking devices over the past year to breach companies across U.S. critical infrastructure sectors.
First reported: 03.09.2025 22:012 sources, 2 articlesShow sources
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
Cisco first detected CVE-2018-0171 attacks almost four years ago, in November 2021.
First reported: 03.09.2025 22:011 source, 1 articleShow sources
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
-
The Russian threat group has been aggressively exploiting this security vulnerability to breach unpatched devices belonging to telecommunications, higher education, and manufacturing organizations across North America, Europe, Asia, and Africa.
First reported: 03.09.2025 22:011 source, 1 articleShow sources
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
-
The same Russian threat group is known for attacking U.S. state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade.
First reported: 03.09.2025 22:011 source, 1 articleShow sources
- US offers $10 million bounty for info on Russian FSB hackers — www.bleepingcomputer.com — 03.09.2025 22:01
-
The three FSB officers targeted more than 380 foreign energy-sector companies in 135 countries.
First reported: 04.09.2025 15:251 source, 1 articleShow sources
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies.
First reported: 04.09.2025 15:251 source, 1 articleShow sources
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
In August 2021, Akulov, Gavrilov, and Tyukov were indicted in the US with substantive charges of computer fraud and abuse, wire fraud, and aggravated identity theft.
First reported: 04.09.2025 15:251 source, 1 articleShow sources
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware, through supply chain compromise.
First reported: 04.09.2025 15:251 source, 1 articleShow sources
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
-
In the second phase of the campaign, referred to as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.
First reported: 04.09.2025 15:251 source, 1 articleShow sources
- US Offers $10 Million for Three Russian Energy Firm Hackers — www.securityweek.com — 04.09.2025 15:25
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations
The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.
GeoServer RCE Exploit Used in Federal Agency Breach
A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.
Crypto fraud ring dismantled by European authorities
A joint operation by European law enforcement agencies has dismantled a cryptocurrency investment fraud ring that defrauded over 100 victims of €100 million ($118 million). The operation, coordinated by Eurojust and supported by Europol, involved authorities from Spain, Portugal, Bulgaria, Italy, Lithuania, and Romania. The ring operated since at least 2018, targeting investors across 23 countries, including France, Germany, Italy, and Spain. The fraudsters used professionally designed online platforms to promise high returns on cryptocurrency investments. Funds were funneled into bank accounts in Lithuania, and victims were charged additional fees to recover their assets. The fraudulent websites eventually went offline, leaving investors with significant losses. Five suspects were arrested, and bank accounts and financial assets were frozen during the operation. The main perpetrator has been accused of large-scale fraud and money laundering.
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.