The Federal Bureau of Investigation (FBI) has issued a critical warning regarding cyberattacks targeting essential infrastructure organizations. These attacks are perpetrated by hackers affiliated with Russia’s Federal Security Service (FSB) and exploit a vulnerability in Cisco devices that has been present for seven years.
According to the FBI’s public service announcement, the state-sponsored hacking group, associated with the FSB’s Center 16 and identified as **Berserk Bear** (also known by other aliases such as **Blue Kraken**, **Crouching Yeti**, **Dragonfly**, and **Koala Team**), is actively compromising Cisco networking devices. They exploit vulnerabilities classified under CVE-2018-0171 to gain unauthorized access to organizations globally.
The **CVE-2018-0171** vulnerability is particularly alarming. It affects the Smart Install feature of Cisco’s IOS and IOS XE software, allowing unauthenticated attackers to remotely trigger a reload of unprotected devices. This could lead to a denial-of-service (DoS) condition or enable the execution of arbitrary code on the device, significantly jeopardizing organizational security.
The FBI reported that, in the past year, they observed the group collecting configuration files from thousands of networking devices associated with U.S. entities across critical sectors. In several instances, the attackers altered configuration files to facilitate unauthorized access, enabling them to conduct reconnaissance on victim networks. This reconnaissance indicated a focused interest in protocols and applications commonly utilized in industrial control systems.
This same hacking group has a history of targeting networks of **U.S. state, local, territorial, and tribal (SLTT)** government organizations, as well as aviation sector entities over the last decade.
Immediate Action Required: Patch Vulnerabilities
Cisco, which first identified attacks leveraging the CVE-2018-0171 flaw in November 2021, has renewed its advisory urging system administrators to promptly secure their devices against ongoing threats. Cisco Talos, the company’s cybersecurity division, emphasizes that the Russian threat group, referred to as **Static Tundra**, is vigorously exploiting this vulnerability to compromise unpatched devices across various sectors, including telecommunications, higher education, and manufacturing, in regions such as North America, Asia, Africa, and Europe.
Attackers have also been documented employing **custom SNMP tooling** to achieve persistence on compromised devices, allowing them to evade detection for extended periods. Furthermore, they utilize the **SYNful Knock** firmware implant, first detected in 2015 by FireEye, which enhances their capability to maintain long-term access to affected systems.
The threat landscape extends beyond Russian operations; other state-sponsored actors are anticipated to be executing similar campaigns targeting network device compromises. This accentuates the urgent need for comprehensive patching and robust security hardening across all organizations. Cisco Talos has succinctly noted that “threat actors will continue to exploit devices that remain unpatched and have Smart Install enabled.”
Recent data indicates that **46% of environments suffered password breaches**, nearly doubling from 25% in the previous year. For strategic insights into prevention, detection, and data exfiltration trends, obtain the **Picus Blue Report 2025** for an extensive overview of current cybersecurity challenges and best practices.