How Russia has spent more than a decade spying on its rivals by hacking on the Internet

A new report from Cisco Talos Intelligence reveals that a state-sponsored espionage group from Russia, known as Static Tundra, has been engaged in the systematic exploitation of network devices worldwide for over a decade. This group is linked to Center 16 of the Federal Security Service of Russia (FSB) and has maintained undetected access to its victims’ systems, using the CVE-2018-0171 vulnerability in Cisco IOS software.

It looks like a movie, but it’s true

Despite the fact that this vulnerability, which allows for arbitrary code execution on affected devices, was patched after its disclosure in 2018, many organizations continue to use outdated or unpatched devices. This has allowed attackers to access and steal sensitive data from various sectors, including telecommunications, higher education, and manufacturing, affecting regions in North America, Asia, Africa, and Europe.

Researchers suggest that Static Tundra has developed automated tools that allow them to exploit this vulnerability on a large scale, identifying their targets using publicly available network scanning data, such as that provided by Shodan or Censys. Once they gain initial access to the networks, they use advanced techniques to extract configuration data from devices, which often includes credentials and other critical information for future intrusions.

Since the beginning of the conflict between Russia and Ukraine, the group has intensified its operations against Ukrainian entities, aligning its selection of victims with Russia’s strategic interests. According to the report, Static Tundra’s target selection has shifted from selective and limited engagements to broader operations across multiple sectors within Ukraine.

The espionage campaign carried out by Static Tundra highlights persistent weaknesses in network infrastructure security, which has raised concerns about patch management and the lifecycle of devices in the organizational realm. Furthermore, specialists warn that such activities are not exclusive to Static Tundra, as other state actors also seek access to network devices, reinforcing the need for constant vigilance in this area.