An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | April 18, 2023

NCSC-UK, NSA, and Partners Advise about APT28 Exploitation of Cisco Routers

FORT MEADE, Md. - The National Security Agency (NSA) has partnered with the UK’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) to publish a joint Cybersecurity Advisory (CSA) report on the tactics, techniques, and procedures (TTPs) associated with APT28’s exploitation of Cisco routers.

APT28 is also known as the Russian General Staff Main Intelligence Directorate (GRU) 85th Special Service Center (GTsSS) military intelligence unit 26165, Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy.

The transatlantic coalition published the “APT28 exploits known vulnerability to carry out  reconnaissance and deploy malware on Cisco routers” CSA indicating that APT28 cyber actors masqueraded Simple Network Management protocol (SNMP) to exploit CVE-2017-6742 (Cisco Bug ID: CSCve54313) and access vulnerable Cisco routers worldwide. This included U.S. Government institutions, approximately 250 Ukrainian victims, and a small number based in Europe.

These cyber actors continue to leverage a known vulnerability to exploit unpatched Cisco routers to conduct reconnaissance and deploy malware to enable unauthenticated access. See NCSC’s Jaguar Tooth malware analysis report for details.

SNMP is designed to allow administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

The authoring agencies recommend following the mitigation advice to defend against this malicious activity and identify indicators of compromise (IoCs) to detect possible activity in networks.
 
Read the full report here.
 
Visit our full library for more cybersecurity information and technical guidance.
 


 

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721