These hackers, affiliated with Russia's FSB Center 16, primarily extract configuration data from network devices, which they can manipulate for long-term strategic purposes, including reconnaissance.

The cyber espionage campaign is linked to the Russian FSB's Center 16, also known by names like Static Tundra and Berserk Bear, focusing on legacy Cisco systems that use protocols such as Cisco Smart Install and SNMP.

Experts emphasize the importance of maintaining updated inventories of network devices, promptly patching or disabling vulnerable features, and replacing unsupported hardware to prevent exploitation, alongside vigilant monitoring for suspicious activity.

The attackers collect configuration files, modify device settings for persistent access, and conduct reconnaissance within victim networks, often remaining undetected for years.

Targeted sectors include telecommunications, higher education, and manufacturing across North America, Asia, Africa, and Europe, with recent efforts focused on Ukraine and allied nations since 2022.

Both the FBI and Cisco recommend immediate actions: patch vulnerable devices, disable Smart Install if patching isn't feasible, monitor for signs of compromise, and report any suspicious activity.

The FBI and Cisco have issued urgent warnings about Russian state-sponsored hackers, known as Static Tundra or Dragonfly, exploiting a seven-year-old vulnerability in Cisco's Smart Install feature to target outdated routers and switches worldwide, especially in critical infrastructure sectors.

The group has a history of deploying malicious implants like SYNful Knock for remote access and exploiting insecure SNMP community strings, including default ones like 'public,' to control devices and exfiltrate data.

Cisco has acknowledged ongoing exploitation and urges customers to upgrade to secure software versions, patch legacy systems, and follow security best practices.

Security researchers warn that many organizations remain vulnerable due to unpatched legacy systems, and other advanced persistent threats are likely pursuing similar operations.

Recent intrusions involve exploiting SNMP vulnerabilities in outdated Cisco devices to steal configuration files from organizations across multiple continents, targeting critical infrastructure.

The operation is highly sophisticated, with compromised devices remaining under control for years; the FBI reports thousands of US devices have had configuration data exfiltrated, especially those managing industrial and operational technology.

Threat actors use tools like SYNful Knock for stealthy long-term access and manipulate SNMP to download malicious files and alter device configurations to evade detection.