South African organisations are urged to check their network devices after warnings from the FBI and Cisco about Russian state-sponsored hackers. The group, known as Static Tundra, has been actively exploiting a seven-year-old vulnerability (CVE-2018-0171) in Cisco IOS software's Smart Install feature to compromise unpatched and end-of-life network devices.
This vulnerability allows attackers to steal configuration data and establish persistent access to systems. The primary targets include organisations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe, with victims selected based on their strategic interest to the Russian government.
What is Static Tundra Doing?
Static Tundra, linked to the Russian Federal Security Service’s (FSB) Center 16 unit, has been operating for over a decade, specializing in compromising network devices for long-term intelligence gathering operations. They employ sophisticated persistence techniques, including the SYNful Knock firmware implant and bespoke SNMP tooling, to maintain undetected access for multiple years.
The Threat Extends Beyond Russia
Cisco researchers warn that other state-sponsored actors are likely conducting similar network device compromise campaigns. This makes comprehensive patching and security hardening critical for all organisations, especially in sectors like critical infrastructure.
What You Need To Do Now
The FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. This highlights the severity of the situation and the need for immediate action.
- Patch Immediately: Apply the patch for CVE-2018-0171.
- Disable Smart Install: If patching isn't an option, disable Smart Install as indicated in the advisory.
- Check End-of-Life Devices: Ensure all devices, especially those nearing or at end-of-life, are properly secured.
- Contact Support: Initiate a TAC request for customer support if needed.
Don't become a victim. Secure your network today!