Full Report
The Federal Bureau of Investigation (FBI) has warned that hackers linked to Russia's Federal Security Service (FSB) are targeting critical infrastructure organizations in attacks exploiting a 7-year-old vulnerability in Cisco devices. [...]
Analysis Summary
# Threat Actor: Berserk Bear (Static Tundra)
## Attribution & Identity
* **Attribution:** Linked to Russia's Federal Security Service (FSB), specifically the FSB's Center 16 unit.
* **Aliases:** Blue Kraken, Crouching Yeti, Dragonfly, Koala Team, and Static Tundra (Cisco Talos tracking name).
## Activity Summary
The actor has been actively targeting critical infrastructure organizations worldwide over the past year by exploiting a long-standing Cisco vulnerability (CVE-2018-0171). Detected activities include:
1. Collecting configuration files for thousands of networking devices belonging to US critical infrastructure entities.
2. Modifying configuration files on vulnerable devices to enable unauthorized access.
3. Conducting reconnaissance on victim networks, specifically showing interest in protocols and applications associated with Industrial Control Systems (ICS).
Historically, the group has targeted US State, Local, Territorial, and Tribal (SLTT) government organizations and aviation entities over the last decade.
## Tactics, Techniques & Procedures
* **Exploitation:** Exploiting CVE-2018-0171 (a critical vulnerability in Cisco IOS/IOS XE Smart Install feature) to achieve remote code execution or Denial-of-Service (DoS).
* **Configuration Manipulation:** Modifying device configuration files to maintain unauthorized access.
* **Persistence/Evasion:** Using custom SNMP tooling to achieve persistence and evade detection for years.
* **Implants:** Deploying the SYNful Knock firmware implant (first spotted in 2015).
* **Reconnaissance:** Performing network reconnaissance focusing on ICS protocols.
* **MITRE ATT&CK IDs (Implied/Associated):** While specific IDs are not listed, the activities strongly suggest techniques related to Initial Access (Exploitation for Client Execution/Remote Services), Persistence, and Defense Evasion.
## Targeting
* **Sectors:** Critical Infrastructure (general), Telecommunications, Higher Education, Manufacturing, US State, Local, Territorial, and Tribal (SLTT) government organizations, and Aviation entities.
* **Geography:** Worldwide, observed targeting entities in North America, Asia, Africa, and Europe.
* **Victims:** Organizations owning unpatched Cisco devices with Smart Install enabled.
## Tools & Infrastructure
* **Malware families used:** SYNful Knock firmware implant.
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the summary, beyond the exploitation of Cisco device features.
## Implications
This actor poses a significant, persistent threat to the operational integrity and confidentiality of critical infrastructure sectors globally. The use of a 7-year-old vulnerability (CVE-2018-0171) indicates a focus on widely deployed, often neglected legacy hardware. The combination of ICS reconnaissance and the use of long-term persistence tools like SYNful Knock suggests potential for deep, long-term supply chain compromise or operational disruption.
## Mitigations
* Immediately patch all Cisco devices, especially securing those running Cisco IOS and IOS XE software against CVE-2018-0171.
* Disable the Smart Install feature on all network devices where it is not strictly required.
* Implement comprehensive security hardening for network devices.
* Monitor for custom SNMP tooling usage indicative of persistence mechanisms.
* Organizations should be aware that other state-sponsored actors may be leveraging similar network device compromise campaigns.