A Russian state-sponsored cyber group has been targeting computer networks and critical infrastructure globally, including in the United States. The group, known by several names, including Static Tundra, Berserk Bear, and Dragonfly, has been active for over a decade.
Authorities report that the group focuses on old or unpatched network devices, especially Cisco routers and switches. They exploit vulnerabilities such as the CVE-2018-0171 in Cisco Smart Install. This weakness allows hackers to access network devices without permission. They also use older protocols like SNMP (Simple Network Management Protocol), which are less secure and easier to exploit.
Researchers from Cisco Talos, Sara McBroom and Brandon White, noted that the group collects configuration files from these devices. Configuration files contain important information about how networks operate. Hackers can use these files to gain deeper access to the networks. In some cases, they have modified these configurations to maintain unauthorized access. This lets them explore the network quietly and gather sensitive information without being noticed.
⚖️ DOJ announces takedown of RapperBot botnet responsible for over 370,000 cyberattacks
Targets and Methods of Operation
The cyber group has mainly targeted organizations in telecommunications, higher education, and manufacturing sectors. Victims are located in Ukraine, allied countries, and other regions around the world. The group has also shown a pattern of shifting its targets depending on global events.
Once they gain access to a device, the hackers can control it using compromised credentials. They can add hidden user accounts, change access rules, or open new ports to continue their activities. Some of their tools, like the SYNful Knock implant, can remain on a device even after it is restarted. This allows the hackers to return anytime without being detected.
Illumina fined $9.8M for selling DNA sequencers with cybersecurity flaws to U.S. agencies
McBroom and White highlighted that the group also gathers network traffic that may be valuable. For instance, they can set up tunnels that redirect specific data to servers under their control. They use this information to monitor the network and identify other devices to target. The hackers often rely on scanning services to find vulnerable devices, and they can perform these actions quietly using built-in commands of the devices, avoiding detection.
The group also uses SNMP to communicate with compromised devices. This protocol lets them send instructions, extract data, and modify configurations without establishing a traditional connection. By doing so, they can hide their activity and bypass network security rules.
Steps Taken by Organizations to Detect and Prevent Attacks
Authorities recommend several steps for organizations to detect and prevent these attacks. First, network devices should be updated and patched regularly. End-of-life hardware or software should be replaced, as these are common targets for hackers.
🇺🇦 Ukraine hacks 100TB of Russian government data — massive cyber attack exposes Kremlin secrets
Monitoring network activity is also critical. Organizations should check logs for unusual activity, such as gaps in normal logging or unexpected changes in device settings. Devices should be profiled regularly to spot any new open ports or unexpected connections.
Strong access controls are important. Organizations should use complex passwords and multi-factor authentication. Default credentials must be removed, and administrative access should be limited to only necessary personnel. All management and monitoring traffic should be encrypted to protect against unauthorized access.
Centralized configuration management is another key step. By keeping track of all device settings, organizations can quickly detect any unauthorized changes. Tracking authentication, authorization, and command activity helps identify unusual behavior early.
In addition, organizations are encouraged to follow government and industry security advisories. Applying recommended configuration changes and closely monitoring access control lists can help prevent unauthorized access.