Russian hackers linked to the country’s Federal Security Service (FSB) Center 16 have exploited vulnerable Cisco devices for over a year to target critical infrastructure organizations for cyber espionage.
The campaign that involves harvesting and modifying device configurations leverages a seven-year-old security flaw, whose security fixes were released soon after discovery.
CVE-2018-0171 (CVSS score of 9.8) is a critical, known, and patched vulnerability in Cisco IOS software and Cisco IOS XE software.
When exploited, it could enable an unauthenticated, remote attacker to execute arbitrary code or reload a device, causing a denial of service (DoS) condition.
Threat intelligence unit Cisco Talos warned that the attackers will continue exploiting vulnerable devices until the operators apply the recommended security fixes.
Russian hackers exploit unpatched Cisco devices
According to Cisco’s security advisory, the state-sponsored threat actors collected device configuration information, which they later exploited to compromise critical infrastructure organizations, to advance the “strategic goals and interests of the Russian government.”
The geopolitically motivated attacks target critical infrastructure entities across “telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe,” depending on their strategic importance to the Russian government. At the start of the Ukraine invasion, the threat actor’s activity shifted towards the country.
According to the threat intelligence unit, Cisco Talos, Russian hackers modified the configurations of some end-of-life Cisco devices to maintain long-term access. They also targeted industrial control systems (ICS), on which critical infrastructure depends for daily operations.
“SOHO Routers and other IoT devices are the main victims used for creating operational relay networks, since they are rarely maintained, patched or even get to be reconfigured from factory settings rather than a plug-and-play home device,” said Gilad Friedenreich Maizles, Security Researcher at SecuityScorecard. “This specific network seems to be working and expanding under the radar for at least a decade.”
Cisco Talos particularly noted that Russian hackers linked to the Static Tundra cyber threat group have exploited vulnerable Cisco devices since 2015. The group is part of a cluster tracked as Berserk Bear, Dragonfly, Havex, Blue Kraken, Crouching Yeti, Energetic Bear, and Ghost Blizzard.
However, other state-sponsored Russian hackers also likely exploited unpatched Cisco devices in a similar fashion.
“Other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations,” Cisco Talos stated.
Similarly, Chinese state-sponsored threat actors, specifically Salt Typhoon, have also weaponized the security vulnerability to compromise Cisco devices for cyber espionage.
Meanwhile, Cisco Talos warned that Russian hackers will continue to exploit vulnerable Cisco devices with the Smart Install feature enabled until it is disabled or the recommended security fixes are applied.
“Customers are urged to apply the patch for CVE-2018-0171 or to disable Smart Install as indicated in the advisory if patching is not an option.”
FBI warns of attacks on critical infrastructure
The FBI also confirmed that Russian hackers harvested configuration files from “thousands of networking devices associated with U.S. entities across critical infrastructure sectors.”
“The FBI detected Russian FSB cyber actors exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally,” the agency warned.
Cisco and the FBI also linked the campaign to the SYNful Knock malware, which targeted four countries at the start of the Ukraine War.
Meanwhile, the continued exploitation of the known security vulnerability suggests that many critical infrastructure organizations do not follow security best practices.
On August 20, 2025, Cisco updated the status of CVE-2018-0171 to indicate that it was being actively exploited in the wild.
“Cisco is aware of continued exploitation activity of the vulnerability that is described in this advisory and strongly recommends that customers assess their systems and upgrade to a fixed software release as soon as possible,” it stated.
