APT28, a state-sponsored hacking group affiliated with Russian military intelligence, has been exploiting a six-year-old vulnerability in Cisco routers to deploy malware and conduct surveillance, according to a joint advisory issued by the US and UK governments on Tuesday. The US cybersecurity agency CISA, alongside the FBI, NSA, and the UK's National Cyber Security Centre, detailed how the Russia-backed hackers targeted European organisations and US government institutions throughout 2021 by exploiting Cisco router vulnerabilities. Notably, the advisory also revealed that the hackers attacked approximately 250 Ukrainian victims, whose identities were not disclosed.
The hacking group, also known as Fancy Bear, has a history of conducting cyber attacks, espionage, and hack-and-leak information operations on behalf of the Russian government. According to the joint advisory, the hackers exploited a remotely exploitable vulnerability that Cisco had patched in 2017 to deploy custom-built malware called "Jaguar Tooth", designed to infect unpatched routers. The threat actors scanned for internet-facing Cisco routers using default or easy-to-guess SNMP community strings, which allowed them to install the malware. SNMP (Simple Network Management Protocol) enables network administrators to remotely access and configure routers, but can also be misused to obtain sensitive network information. Once installed, the malware exfiltrated data from the router and provided stealthy backdoor access to the device, the agencies stated.
Matt Olney, Director of Threat Intelligence at Cisco Talos, highlighted in a blog post that this campaign exemplifies "a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity". He expressed deep concern over the increasing rate of high-sophistication attacks on network infrastructure, as observed by Cisco and corroborated by various intelligence organisations' reports, indicating that state-sponsored actors are targeting routers and firewalls globally. Olney added that China has also been identified as attacking network equipment in multiple campaigns. Earlier this year, Mandiant reported that Chinese-state backed attackers exploited a zero-day vulnerability in Fortinet devices to execute a series of attacks on government organisations.