FBI: Russian spies exploiting a 7-year-old Cisco bug to slurp configs from critical infrastructure
(2025/08/20)
- Reference: 1755714014
- News link: https://www.theregister.co.uk/2025/08/20/russian_fsb_cyberspies_exploiting_cisco_bug/
- Source link:
The FBI and security researchers today warned that Russian government spies exploited a seven-year-old bug in end-of-life Cisco networking devices to snoop around in American critical infrastructure networks and collect information on industrial systems.
"In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors," the federal cops [1]said . "On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices."
Both the FBI and Cisco Talos, in separate security alerts, attributed the network intrusions to the Russian Federal Security Service's (FSB) Center 16, aka Static Tundra, Berserk Bear, and Dragonfly.
[2]
This particular cyberspy crew has been active for over a decade, targeting outdated networking gear that accepts legacy, unencrypted protocols like Cisco Smart Install (SMI) and Simple Network Management Protocol (SNMP). They've also deployed custom malware for some Cisco devices, such as 2015's [3]SYNful Knock router implant.
[4]
[5]
The latest round of intrusions exploits SNMP in end-of-life gear that some users never got around to patching. There's a super-old critical bug in the Cisco Smart Install feature of Cisco IOS and IOS XE software, tracked as [6]CVE-2018-0171 , which the networking giant fixed in March 2018.
In a statement emailed to The Register , a Cisco spokesperson said the company is aware of ongoing exploitation targeting this flaw.
[7]
"We strongly urge customers to immediately upgrade to fixed software versions as outlined in the [8]security advisory and follow our published security best practices," the spokesperson said, directing customers to the FBI's announcement and Cisco Talos blog for additional details.
[9]Egg on Cisco's face: Three critical software bugs to fix over Easter
[10]Compromised Cisco routers spotted bimbling about in the wild
[11]Despite Russia warnings, Western critical infrastructure remains unprepared
[12]So … Russia no longer a cyber threat to America?
The ongoing campaign targets telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe, "with victims selected based on their strategic interest to the Russian government," according to Talos researchers Sara McBroom and Brandon White.
"We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government," McBroom and White [13]wrote .
And while both security alerts focus on the FSB's latest round of network intrusions, "many other state-sponsored actors also covet the access these devices afford," the Talos team warned. "Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well." ®
Get our [14]Tech Resources
[1] https://www.ic3.gov/PSA/2025/PSA250820
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKZFeDSDfC_4SyVw9YRoSgAAAEw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2015/09/15/compromised_cisco_routers/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFeDSDfC_4SyVw9YRoSgAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKZFeDSDfC_4SyVw9YRoSgAAAEw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2018/03/29/cisco_critical_ios_bugs/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFeDSDfC_4SyVw9YRoSgAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-smi2.html
[9] https://www.theregister.com/2018/03/29/cisco_critical_ios_bugs/
[10] https://www.theregister.com/2015/09/15/compromised_cisco_routers/
[11] https://www.theregister.com/2024/09/18/russia_west_critical_infrastructure/
[12] https://www.theregister.com/2025/03/04/russia_cyber_threat/
[13] https://blog.talosintelligence.com/static-tundra/
[14] https://whitepapers.theregister.com/
"In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors," the federal cops [1]said . "On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices."
Both the FBI and Cisco Talos, in separate security alerts, attributed the network intrusions to the Russian Federal Security Service's (FSB) Center 16, aka Static Tundra, Berserk Bear, and Dragonfly.
[2]
This particular cyberspy crew has been active for over a decade, targeting outdated networking gear that accepts legacy, unencrypted protocols like Cisco Smart Install (SMI) and Simple Network Management Protocol (SNMP). They've also deployed custom malware for some Cisco devices, such as 2015's [3]SYNful Knock router implant.
[4]
[5]
The latest round of intrusions exploits SNMP in end-of-life gear that some users never got around to patching. There's a super-old critical bug in the Cisco Smart Install feature of Cisco IOS and IOS XE software, tracked as [6]CVE-2018-0171 , which the networking giant fixed in March 2018.
In a statement emailed to The Register , a Cisco spokesperson said the company is aware of ongoing exploitation targeting this flaw.
[7]
"We strongly urge customers to immediately upgrade to fixed software versions as outlined in the [8]security advisory and follow our published security best practices," the spokesperson said, directing customers to the FBI's announcement and Cisco Talos blog for additional details.
[9]Egg on Cisco's face: Three critical software bugs to fix over Easter
[10]Compromised Cisco routers spotted bimbling about in the wild
[11]Despite Russia warnings, Western critical infrastructure remains unprepared
[12]So … Russia no longer a cyber threat to America?
The ongoing campaign targets telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe, "with victims selected based on their strategic interest to the Russian government," according to Talos researchers Sara McBroom and Brandon White.
"We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government," McBroom and White [13]wrote .
And while both security alerts focus on the FSB's latest round of network intrusions, "many other state-sponsored actors also covet the access these devices afford," the Talos team warned. "Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well." ®
Get our [14]Tech Resources
[1] https://www.ic3.gov/PSA/2025/PSA250820
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKZFeDSDfC_4SyVw9YRoSgAAAEw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2015/09/15/compromised_cisco_routers/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFeDSDfC_4SyVw9YRoSgAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKZFeDSDfC_4SyVw9YRoSgAAAEw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2018/03/29/cisco_critical_ios_bugs/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFeDSDfC_4SyVw9YRoSgAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-smi2.html
[9] https://www.theregister.com/2018/03/29/cisco_critical_ios_bugs/
[10] https://www.theregister.com/2015/09/15/compromised_cisco_routers/
[11] https://www.theregister.com/2024/09/18/russia_west_critical_infrastructure/
[12] https://www.theregister.com/2025/03/04/russia_cyber_threat/
[13] https://blog.talosintelligence.com/static-tundra/
[14] https://whitepapers.theregister.com/
Securing Telecom Routers And Switches
fg_swe
In future routers and switches, the entire management interface must be secured by minimalist cipher end to end. From network management system to network element.
Do NOT use SSL for this. 400kloc and impossible to prove correct.
OpenSSH is much better, but still 80 times too big.
Never expose complex and faulty SNMP, PHP webapps and the like. Lock it behind the minimalist, secure Cipher.
As long as we do not have this, prepare for at least three days of telecom network outage. It has already happened to a certain country, can happen to yours.
E2E Encryption
Routers and Telephone switches have a long history of being rotten. Never depend on them.
Rather, use a strong cipher:
https://di-fg.de/MinimalesChiffrierSystem.html