A Russian state-sponsored espionage group identified as Static Tundra has been quietly compromising network devices around the world for more than a decade, exploiting a seven-year-old vulnerability to steal sensitive data and maintain a foothold in organizations across multiple sectors, according to new research from Cisco Talos Intelligence.
Talos researchers tie Static Tundra to Russia’s Federal Security Service (FSB) Center 16 and describe it as a likely sub-cluster of the Energetic Bear threat group. The operation is among the most persistent network-device compromise campaigns documented to date, with access remaining undetected for years, the report says. For context on the broader threat, researchers point to the Energetic Bear actor family.
Central to the group’s operations is CVE-2018-0171, a flaw in Cisco IOS’s Smart Install feature that Cisco patched in 2018. Despite patches, the group continues to target organizations that have not updated devices or run end-of-life equipment. The vulnerability is catalogued in the @nvd National Vulnerability Database as CVE-2018-0171, and Cisco detailed the advisory at Cisco advisory.
Researchers say Static Tundra has developed automated tooling to exploit the flaw at scale, likely identifying targets through publicly available network scanning data from services such as Shodan or Censys. Once initial access is gained, the group extracts device configuration data, including credentials and network information, and maintains access using Trivial File Transfer Protocol (TFTP) servers and Simple Network Management Protocol (SNMP) tools.
The espionage campaign has affected organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Victim selection appears to align with Russia’s strategic interests, with researchers noting a significant escalation in operations against Ukrainian entities following the onset of the Russia-Ukraine conflict.
Analysts emphasize that Static Tundra’s activity underscores ongoing weaknesses in network infrastructure security, including patch and device lifecycle management. The operation also illustrates the high strategic value nation-state actors place on compromising network devices, which provide access to broad organizational communications and facilitate further intrusions. Security researchers note that Static Tundra is not unique in targeting network infrastructure, with other state-sponsored actors pursuing similar access opportunities.
Cisco Talos assesses with high confidence that Static Tundra operates as a Russian state-sponsored group specializing in network device exploitation, based on tactical overlaps with previously identified Russian operations and targeting patterns. The FBI has corroborated connections between Static Tundra and the broader Energetic Bear group, which was formally linked to Russia’s FSB Center 16 unit in a 2022 Department of Justice indictment.