Known as a cyberspy group sponsored by the Russian state Static Tundra It actively utilizes the seven-year-old security flaws of Cisco iOS and Cisco iOS XE software as a way to establish persistent access to the target network.
Cisco Talos, who revealed details of the activity, said the attack put organizations in telecommunications, higher education and manufacturing sectors in North America, Asia, Africa and Europe into a single organisation. Future victims were chosen based on their “strategic interest” in Russia, adding that recent efforts have been directed against Ukraine and its allies following the launch of the Russo-Ukrainian War in 2022.
The vulnerability in question is CVE-2018-0171 (CVSS score: 9.8). This is a critical flaw in the smart installation capabilities of CISCO IOS software and Cisco iOS XE software, allowing uncertified remote attackers to trigger school denied attendance (DOS) conditions.
It is worth noting that security flaws are likely armed by the salt typhoon (aka operator panda) actors lined up in China as part of an attack targeting US telecom providers in late 2024.
The static tundra per taro is linked to 16 Federal Security Services (FSB) Centre units and is rated for operation for over a decade, with a focus on long-term intelligence collection operations. It is thought to be a subcluster of another group that is tracked as a Barserk bear, a squatting yetiti, a dragonfly, an energetic bear, and hasex.
The US Federal Bureau of Investigation (FBI) said it was observing that it was running a simple Network Management Protocol (SNMP) running a Cisco Smart Installation (SMI) unearned vulnerability (CVE-2018-0171) and an FSB Cyber Actor (SMI) that leverages termination networking devices.
These attacks found that threat actors were collecting configuration files for thousands of networking devices related to US entities in critical infrastructure sectors. This activity is also characterized by attackers modifying configuration files on sensitive devices to facilitate unauthorized access.
The scaffolding is then abused, conducting reconnaissance within the victim network, while simultaneously deploying custom tools such as Synful Knock, the router implant that Mandiant first reported in September 2015.
“Synful Knock is a stealthy change in router firmware images that can be used to maintain sustainability within the victim’s network,” the threat intelligence company said at the time. “It’s inherently customizable and modular, so you can update it once it’s embedded.”
Another notable aspect of the attack is about using SNMP to send steps to download text files from remote servers and add them to the current running configuration to allow additional means of access to network devices. Defense evasion is achieved by modifying the TACACS+ configuration of the infected appliance to interfere with the remote logging function.
“Static Tundra is likely to use publicly available scan data from services such as Shodan and Censys to identify systems of interest,” said Talos researchers Sara McBroom and Brandon White. “One of the main actions of the static tundra regarding purpose is to capture network traffic that is valuable from an intellectual standpoint.”
This is achieved by configuring a common Routing Encapsulation (GRE) tunnel that redirects traffic of interest to an attacker-controlled infrastructure. The enemy was also found collecting and removing Netflow data about the compromised system. Harvested data is expanded via outbound TFTP or FTP connections.
Static Tundra activities primarily focus on informal and often terminated network devices that aim to establish access to key targets and promote secondary operations against targets of interest. Once you get your first access, threat access digs deep holes in your environment and hacks into additional network devices for long-term access and information gathering.
To mitigate the risk poses by threats, Cisco advises customers to patch CVE-2018-0171 or disable smart installation if the patch is not an option.
“The purpose of this campaign is to compromise and extract configuration information for devices, which can be used later, based on the strategic goals of the time and the interests of the Russian government,” Talos said. “This is demonstrated by the static tundra adaptation and change in operational focus as Russia’s priorities have changed over time.”
