APT28, a state-sponsored hacking group operated by Russian military intelligence, is exploiting a six-year-old vulnerability in Cisco routers to deploy malware and conduct surveillance, according to the US and government governments. United Kingdom.
In a joint advisory issued Tuesday, the US cybersecurity agency CISA along with the FBI, NSA and the UK’s National Center for Cyber Security detail how Russian-backed hackers exploited vulnerabilities in Internet routers. Cisco throughout 2021 with the goal of targeting European organizations and US government institutions. The notice said the hackers also hacked “approximately 250 Ukrainian victims,” which the agencies did not name.
APT28, also known as Fancy Bear, is known for carrying out a variety of cyberattacks, espionage, and hacking and information leak operations on behalf of the Russian government.
According to the joint advisory, hackers exploited a remotely exploitable vulnerability patched by Cisco in 2017 to deploy custom malware dubbed “Jaguar Tooth,” which is designed to infect unpatched routers.
To install the malware, threat actors search for Internet-connected Cisco routers using a predetermined or easy-to-guess SNMP community string.
SNMP, or Simple Network Management Protocol, allows network administrators to remotely access and configure routers in lieu of a username or password, but it can also be misused to obtain sensitive network information.
Once installed, the malware extracts information from the router and provides stealthy backdoor access to the device, the agencies said.
Matt Olney, director of threat intelligence at Cisco Talos, said in a blog post that this campaign is an example of “a much broader trend of sophisticated adversaries targeting network infrastructure to further espionage goals or preposition themselves for future destructive activities.”
“Cisco is deeply concerned about an increase in the rate of highly sophisticated attacks on network infrastructure, which we have observed and seen corroborated by numerous reports issued by various intelligence organizations, indicating that state-sponsored actors are targeting to routers and firewalls globally. Olney said.
Olney added that in addition to Russia, China has also been seen attacking network equipment in various campaigns.
Earlier this year, Mandiant reported that Chinese state-backed attackers exploited a zero-day vulnerability in Fortinet devices to carry out a series of attacks against government organizations.