APT28, a state-sponsored hacking group operated by Russian military intelligence, is exploiting a six-year-old vulnerability in Cisco routers to deploy malware and carry out surveillance, according to the U.S. and U.K. governments.
In a joint advisory issued on Tuesday, U.S. cybersecurity agency CISA along with the FBI, the NSA and the U.K.’s National Cyber Security Center detail how the Russia-backed hackers exploited Cisco router vulnerabilities throughout 2021 with the aim of targeting European organizations and U.S. government institutions. The advisory said the hackers also hacked “approximately 250 Ukrainian victims,” which the agencies did not name.
APT28, also known as Fancy Bear, is known for carrying out a range of cyberattacks, espionage and hack-and-leak information operations on behalf of the Russian government.
According to the joint advisory, the hackers exploited a remotely exploitable vulnerability patched by Cisco in 2017 to deploy a custom-built malware dubbed “Jaguar Tooth,” which is designed to infect unpatched routers.
To install the malware, the threat actors scan for internet-facing Cisco routers using a default or easy-to-guess SNMP community string.
SNMP, or Simple Network Management Protocol, allows network administrators to remotely access and configure routers in place of a username or password, but can also be misused to obtain sensitive network information.
Once installed, the malware exfiltrates information from the router and provides stealthy backdoor access to the device, the agencies said.
Matt Olney, director of threat intelligence at Cisco Talos, said in a blog post this campaign is an example of “a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.”
“Cisco is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure — that we have observed and have seen corroborated by numerous reports issued by various intelligence organizations — indicating state-sponsored actors are targeting routers and firewalls globally,” Olney said.
Olney added that in addition to Russia, China has also been spotted attacking network equipment in several campaigns.
Earlier this year, Mandiant reported that Chinese state-backed attackers exploited a zero-day vulnerability in Fortinet devices to carry out a series of attacks on government organizations.