Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Gov't Agencies

As recently as 2021, the notorious Russian APT28 was exploiting network routers running outdated versions of Cisco’s IOS and IOS XE operating system software, using them to deploy backdoors in networks across European and American government institutions.

APT28 — aka Fancy Bear, Strontium, Tsar Team, and Sofacy Group — is best known for its campaigns against Ukraine and the 2016 US elections. The UK National Cyber Security Centre (NCSC) has attributed this group to the 85th Special Service Centre, Military Intelligence Unit 26165, part of Russia’s General Staff Main Intelligence Directorate (GRU).

NCSC, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and FBI this week published a joint advisory outlining one of APT28’s less technically impressive but more economic maneuvers. According to their findings, the group used unpatched Cisco routers to access “a small number” of EU and US government institutions, on top of “approximately 250 Ukrainian victims.”

Though the campaign took place two years ago, Cisco Talos in a blog post expressed how “deeply concerned” it is “by an increase in the rate of high-sophistication attacks on network infrastructure” by nation-state actors.

“We certainly have seen an increase over the last several years — even over the last six to 12 months — in targeting this type of infrastructure,” says JJ Cummings, national security principal at Cisco Talos. “I think this is probably only the tip of the iceberg.”

Taking Advantage of Vulnerable Routers

On June 29, 2017, Cisco revealed a series of vulnerabilities in the Simple Network Management Protocol (SNMP), a communications protocol for network devices running IOS versions 12.0 through 12.4 and 15.0 through 15.6, and IOS XE 2.2 through 3.17.

A specially crafted SNMP packet, the company explained, could have allowed attackers to remotely execute code on affected devices, or cause them to reboot. The vulnerabilities were grouped under CVE-2017-6742 and assigned a “High” CVSS score of 8.8.

Though a patch for the SNMP vulnerabilities was released all those years ago, by 2021 APT28 was still exploiting Cisco routers to access US, EU, and primarily Ukrainian government networks.

In the same way administrators use SNMP to remotely monitor and configure network devices, APT28 used it to remotely access devices and penetrate networks.

“A number of software tools can scan the entire network using SNMP,” the advisory explained, “meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.”

In particular, APT28 took advantage of weak passwords — “community strings,” in Cisco parlance — such as the default public string in order to crack routers and, in some cases, deploy their “Jaguar Tooth” malware. Jaguar Tooth was specifically designed to exploit CVE-2017-6742, stealing device information and planting a backdoor for persistent access.

Thousands of Routers Are Exposed Online

A remarkable number of enterprise Internet routers in operation today are publicly exposed on the open Internet. And they’re not only exposed — they’re vulnerable. For scale, consider this:

After a series of vulnerabilities were discovered in multiple Cisco Small Business Routers earlier this year, software company Censys scanned for any potentially vulnerable devices online. The search returned over 20,000 results, the vast majority of which are still equally exposed to this day.

And just as a software company can identify these devices, so can hackers." Usually, cybercriminals will be using tools like Shodan or Nmap to scan and look for exposed devices connected to the internet," explains James McQuiggan, security awareness advocate at KnowBe4. “Organizations may try the ‘security by obscurity’ model, hoping they’re not discovered running older legacy systems,” he says, but hackers who can find and so easily exploit these devices “have opened the electronic front door.”

Cisco regularly publishes information about new vulnerabilities and risks to IT infrastructure, such as this blog post published on April 18

Why Routers Go Unpatched

In IT environments, Cummings observes, there’s one main reason why routing devices remain unpatched for years at a time. “Think about what the primary mission of a network operations team is: to keep the network up and running, right?” A byproduct of this prioritization of reliability and availability, he says, could be that “if a device is not broken, maybe they’re not going to fix it.”

Further, updating can sometimes come at a cost — albeit temporary — for operations. “We’ve seen in a couple of cases that, while the process to upgrade isn’t necessarily difficult or arduous, it’s also not always without risk for network availability.” If availability is the primary goal, “if they’re incentivized not to impact that, anything that gets in the way is something that they’re going to shy away from.”

Updating IOS and IOS XE is necessary for addressing CVE-2017-6742, but in cases where doing so is tricky, there are other simple changes IT administrators can make to harden against similar infrastructure breaches. “If updates are not possible,” McQuiggan says, “network monitoring — even if it’s by a third-party managed security service — can alert of intrusions and possible unauthorized logins to external-facing networking equipment.”

In its blog post, Cisco emphasized more than anything the need to restrict infrastructure to trusted users. “Designed to prevent unauthorized direct communication to network devices, infrastructure access control lists (ACLs) are one of the most critical security controls that can be implemented in networks,” they wrote. “Exploitation of these vulnerabilities is best prevented by restricting access to trusted administrators and IP addresses.”