The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) have released a joint security advisory highlighting attacks on Cisco routers orchestrated by Russian military hackers.

Tracked as APT28, Fancy Bear, and Strontium, the group has been linked by cybersecurity authorities to the Russian General Staff Main Intelligence Directorate’s (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165.

According to the advisory, the threat actor exploited Cisco router vulnerabilities throughout 2021, targeting “a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.”

“In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide,” the agencies say.

The group has used two attack methods to access routers, one of which involved the use of default and weak SNMP community strings, and the other exploited the CVE-2017-6742 remote code execution vulnerability in Cisco IOS patched by the vendor in 2017.

Cisco's advisory at the time provided workarounds such as limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs).

In some cases APT28 used an SNMP exploit to deploy the Jaguar Tooth malware that collected device information and provided unauthenticated access via a backdoor.

In a blog post published this week Matt Olney, director of Threat Intelligence and Interdiction at Cisco, said that the Jaguar Tooth campaign is “an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.”

He further added that China has also been observed attacking network equipment from a broad set of manufacturers in several cyber-espionage operations.

“These are certainly not the only campaigns targeting network equipment, nor the only actors. It is reasonable to conclude that any sufficiently capable national intelligence operation would develop and use the capability to compromise the communications infrastructure of their preferred targets,” Olney said.