The Federal Bureau of Investigation (FBI) has warned that hackers linked to Russia’s Federal Security Service (FSB) are targeting critical infrastructure organizations in attacks exploiting a 7-year-old vulnerability in Cisco devices.
The FBI’s public service announcement states that the state-backed hacking group, linked to the FSB’s Center 16 unit and tracked as Berserk Bear (also known as Blue Kraken, Crouching Yeti, Dragonfly, and Koala Team), has been targeting Cisco networking devices using CVE-2018-0171 exploits to breach organizations worldwide.
Successful exploitation of CVE-2018-0171, a critical vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software, can allow unauthenticated threat actors to remotely trigger a reload of unpatched devices, potentially resulting in a denial-of-service (DoS) condition or enabling the attackers to execute arbitrary code on the targeted device.
“In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices,” the FBI said.
“The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems.”
The same hacking group has previously targeted the networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade.
Admins urged to patch as soon as possible
Cisco, which first detected attacks targeting the CVE-2018-0171 flaw in November 2021, updated its advisory on Wednesday, urging administrators to secure their devices against ongoing attacks as soon as possible.
Cisco Talos, the company’s cybersecurity division, said that the Russian threat group it tracks as Static Tundra has been aggressively exploiting CVE-2018-0171 in this campaign to compromise unpatched devices belonging to telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe.
The attackers were also observed using custom SNMP tooling that enables them to gain persistence on compromised devices and evade detection for years, as well as the SYNful Knock firmware implant, first spotted in 2015 by FireEye.
“The threat extends beyond Russia’s operations — other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations,” Cisco Talos added.
“Threat actors will continue to abuse devices which remain unpatched and have Smart Install enabled.”
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.