Russian state-sponsored hacking group APT28, also known as Fancy Bear, has been exploiting a six-year-old vulnerability in Cisco routers to carry out surveillance and deploy malware, according to a joint advisory by the U.S. cybersecurity agency CISA, the FBI, the NSA, and the U.K.’s National Cyber Security Center. The group is aiming at European organizations and US government institutions by exploiting a remotely exploitable vulnerability patched by Cisco in 2017. The hackers are also targeting Ukrainian victims.
The hackers are using a custom-built malware called “Jaguar Tooth,” which is designed to infect unpatched routers. By scanning for internet-facing Cisco routers using default or easy-to-guess SNMP community string, the threat actors can exploit the Simple Network Management Protocol (SNMP), allowing them to remotely access and configure routers without a username or password. The malware exfiltrates information from the router and provides stealthy backdoor access to the device.
The campaign is part of a broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. Cisco Talos, a threat intelligence team at Cisco, is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure, which state-sponsored actors globally are targeting. China has also been spotted attacking network equipment in several campaigns, according to Olney.
It is not yet clear how many organizations have been affected by APT28’s exploitation of the Cisco vulnerability. However, the US and UK government agencies are warning that this is a serious and ongoing threat. Network administrators should ensure that they apply the latest security patches to all routers and use strong passwords to prevent unauthorized access to their networks. Organizations should also consider implementing security solutions that provide advanced protection for their network infrastructure.