The FBI has issued a warning about Russian hackers who have been infiltrating thousands of networking devices associated with critical infrastructure IT systems. The gang has been leveraging a vulnerability in older Cisco software in its attacks.
Cisco Talos, Cisco’s threat intelligence organization, said the group attacked organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Rather than issuing ransomware demands, the hackers chose victims based on their “strategic interest” to Russia.
According to the Cisco Talos blog, the hacking group is Static Tundra, a Russian state-sponsored cyber espionage group that supports Russia’s long-term intrusion campaigns into organizations of strategic interest to the government. Their goal is to extract “device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government.”
“Attacks from Russia are nothing new, but critical infrastructure is at heightened risk during times of geopolitical unrest, especially from adversaries such as Russia, Iran, and China,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Recent negotiations between the Russia and U.S., as part of efforts to end the war in Ukraine, could tip the cybersecurity scales in either direction, meaning critical infrastructure industries, like the industrial and financial sectors, in particular, should be on heightened alert.”
Long-Term Missions
The investigation into the hacking shows how long-term the plans were. Static Tundra has been around for more than a decade and has been able to maintain access to its targets for years without detection.
In the recently discovered attacks, the hackers would modify configuration files to enable unauthorized access to those devices, then use that access to conduct reconnaissance in the victim networks. They seemed to be especially interested in protocols and applications associated with industrial control systems.
Exploiting Old Vulnerabilities
To get this access, the hackers exploited a seven-year-old vulnerability in Cisco IOS software. Although the vulnerability was detected and resolved years ago, the group targeted unpatched and end-of-life network devices to steal configuration data and establish persistent access.
“Most of the vulnerabilities exploited by cyber adversaries, such as Russia, are easily mitigated via the adoption and enforcement of zero-trust policies and regular network and software vulnerability testing and patching,” Goldberg said. “Financial institutions, in particular, should be using the third and fourth quarters of 2025 to revisit and test their disaster-recovery planning playbooks, to ensure cyberthreat response is adequately addressed.”
