A Russian state-sponsored espionage group has been systematically compromising network devices worldwide for over a decade, exploiting a seven-year-old vulnerability to steal sensitive data and establish persistent access to organizations across multiple sectors, according to new research from Cisco Talos Intelligence.

The group, designated “Static Tundra” by Cisco Talos, is linked to the Russian Federal Security Service’s Center 16 unit and operates as a likely sub-cluster of the broader “Energetic Bear” threat group. The operation represents one of the most persistent network device compromise campaigns documented to date, with the group maintaining undetected access to victim systems for multiple years.

According to the researchers, the group has been leveraging CVE-2018-0171, a vulnerability in Cisco IOS software’s Smart Install feature that was patched when initially disclosed in 2018. Despite the availability of patches, the group continues to find success targeting organizations that have left devices unpatched or are running end-of-life equipment that cannot be updated.

The vulnerability allows attackers to execute arbitrary code on affected devices or trigger denial-of-service conditions. 

Researchers believe the group has developed automated tooling to exploit the vulnerability at scale, likely identifying targets through publicly available network scanning data from services such as Shodan or Censys.

Once initial access is gained, the group employs sophisticated techniques to extract device configuration data, which often contains credentials and network information valuable for further compromise. The attackers use a combination of Trivial File Transfer Protocol (TFTP) servers and Simple Network Management Protocol (SNMP) tools to maintain access and collect intelligence.

The espionage campaign has affected organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Victim selection appears to align with Russia’s strategic interests, with researchers noting a significant escalation in operations against Ukrainian entities following the onset of the Russia-Ukraine conflict.

“One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then,” the Cisco Talos report states. The group expanded its targeting within Ukraine from selective, limited compromises to operations across multiple industry verticals.

The campaign exposes ongoing weaknesses in network infrastructure security, with attackers continuing to exploit a vulnerability patched in 2018. This persistence underscores widespread shortcomings in patch and device lifecycle management. The operation also illustrates the high strategic value nation-state actors place on compromising network devices, which offer access to broad organizational communications and facilitate further intrusions. 

Security researchers emphasize that Static Tundra is not unique in targeting network infrastructure. The report notes that “many other state-sponsored actors also covet the access these devices afford,” indicating that similar operations are likely being conducted by multiple nation-state groups.

Cisco Talos assesses with high confidence that Static Tundra operates as a Russian state-sponsored group specializing in network device exploitation based on tactical overlaps with previously identified Russian operations and targeting patterns consistent with Russian strategic interests. The FBI has corroborated connections between Static Tundra and the broader Energetic Bear group, which was formally linked to Russia’s FSB Center 16 unit in a 2022 Department of Justice indictment.

FSB Center 16 is a unit within Russia’s Federal Security Service (FSB). The center is believed to oversee signals intelligence and cyber operations on behalf of the Russian government. Another group linked to the center known as Turla has been spotted waging its own espionage campaigns by Microsoft.

The post Russian cyber group exploits seven-year-old network vulnerabilities for long-term espionage appeared first on CyberScoop.

A Russian nation-state threat group has been spying on foreign diplomats, managing continuous access to their  communications and data in Moscow since at least 2024, according to Microsoft Threat Intelligence.

Secret Blizzard is gaining “adversary-in-the-middle” positions on Russian internet service providers and telecom networks by likely leveraging surveillance tools and deploying malware on targeted devices, researchers said in a report released Thursday. 

Microsoft’s discovery marks the first time its researchers have confirmed with high confidence that Secret Blizzard has capabilities at the ISP level, a degree of access that combines passive surveillance and an active intrusion. 

“It’s a shift, or a kind of movement, toward the evolution of simply watching traffic to actively modifying network traffic in order to get into those targeted systems,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told CyberScoop. 

Secret Blizzard — also known as Turla, Pensive Ursa or Waterbug — is affiliated with Center 16 of Russia’s Federal Security Service (FSB) and has been active for decades.

The Russian nation-state group is “the classic definition of what you think of when you think of advanced persistent threat: creative, persistent, well resourced, highly organized, able to execute projects, able to execute actions on objectives,” DeGrippo said. “Ultimately, I think that the key word is creative.”

Secret Blizzard is gaining initial access to embassy employee devices by redirecting them to a malicious domain that displays a certificate validation error after targeted victims access a state-aligned network through a captive portal, according to Microsoft.

The error prompts and tricks embassy employees into downloading root certificates falsely branded as Kaspersky Anti-Virus software, which deploy ApolloShadow malware. The custom malware turns off traffic encryption, tricks the devices to recognize malicious sites as legitimate and enables Secret Blizzard to maintain persistent access to diplomatic devices for espionage. 

“This is an excellent piece of social engineering because it plays on habit, it plays on urgency, it plays on emotions, which are the three holy trinity of social engineering,” DeGrippo said. 

“You see this pop-up that’s telling you you have a security issue, and it’s branded as a security vendor. We’ve been seeing that capability for decades,” she said. “Simply clicking through and not examining and thinking about that, especially when on a state-aligned, state-owned network in one of these surveillance-heavy countries where the government has deep technical and legal controls over those ISPs — that infrastructure is now part of your attack surface.”

Microsoft declined to say how many embassies have been impacted, but noted the group is active. Intrusions linked to this politically motivated espionage campaign allow Secret Blizzard to view the majority of the target’s browsing in plain text, including certain tokens and credentials, researchers said in the report.

“This seems relatively simple, but it’s only made so simple by the likely leveraging of a lawful intercept capability,” DeGrippo said. “Relying on local infrastructure in these high-risk environments — China, Russia, North Korea, Iran — in these surveillance-heavy countries, is of concern.” 

Microsoft previously observed Secret Blizzard using tools from other cybercriminal groups to compromise targets in Ukraine, showing how the group uses various attack vectors and means to infiltrate networks of geopolitical interest to Russia.

The post Russia-affiliated Secret Blizzard conducting ongoing espionage against embassies in Moscow appeared first on CyberScoop.