Overview
- Over the past year, the FBI detected the collection of configuration files from thousands of networking devices tied to U.S. critical infrastructure entities.
- Intrusions leverage CVE-2018-0171 in Cisco Smart Install to enable code execution or device reloads, frequently alongside legacy SNMP on outdated hardware.
- Cisco Talos attributes the activity to Static Tundra, linked to the FSB’s Center 16, with past use of custom implants such as the SYNful Knock router malware.
- Targets span telecommunications, higher education, and manufacturing across North America, Europe, Asia, and Africa, with escalated operations against Ukraine since 2022.
- Researchers detail automated internet scanning, config tampering for persistence, and exfiltration via TFTP/FTP and GRE tunnels, warning that other state actors likely run similar operations.