Ethical Hacking News
US and allied Governments Warn of Rising Threat from Russian APT Groups Targeting Critical Infrastructure Worldwide
US and allied governments have issued warnings about the growing threat of Russian APT groups targeting network devices worldwide. Russian APT groups, linked to FSB Center 16, scan the internet for poorly secured network devices, primarily routers, using weak or default credentials. The groups exploit known vulnerabilities and use spoofed requests to steal device configurations and move them to attacker-controlled servers through TFTP or FTP. The primary method used by these groups is scanning Internet IP ranges with active SNMP agents that accept common or default community strings for authentication. Experts recommend taking proactive measures, including disabling Cisco Smart Install, replacing SNMPv1/v2 with SNMPv3, and enforcing unique passwords. Organizations must monitor SNMP activity, restrict management access through ACLs, and detect suspicious configuration changes to protect against these threats.
The world of cybersecurity has been plagued by an increasing number of sophisticated threats from nation-state actors, particularly Russia. In recent months, the US and allied governments have issued warnings about the growing threat of Russian APT groups targeting network devices across various sectors worldwide. According to a joint advisory released by the US and allied governments, these groups, linked to FSB Center 16, including well-known entities such as Berserk Bear, Energetic Bear, Ghost Blizzard, Crouching Yeti, Dragonfly, and Static Tundra, have been actively scanning the internet for poorly secured network devices, primarily routers.
These groups exploit weak or default credentials to access these devices and then use spoofed requests to steal device configurations and move them to attacker-controlled servers through TFTP or FTP. The threat actors also utilize known Cisco vulnerabilities and management interfaces, which is a concerning trend as these techniques are not unique to Russia and overlap with other nation-state actors.
According to the joint advisory, the primary method Russian FSB Center 16 cyber actors use to discover and exploit poorly configured networking devices is through scanning Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication. While SNMP scanning is the primary method used by these groups, they occasionally exploit known vulnerabilities such as CVE-2018-0171 and CVE-2008-4128 to compromise network devices.
The threat actors' techniques also overlap with other groups like Salt Typhoon. To effectively defend against this growing threat, experts recommend that network defenders take several proactive measures, including:
* Disabling Cisco Smart Install
* Replacing SNMPv1/v2 with SNMPv3 using strong encryption
* Enforcing unique passwords with secure storage
Organizations must also monitor SNMP activity, restrict management access through ACLs, block unnecessary ports such as TFTP, SMI, and SNMP from external networks, and detect suspicious configuration changes. It is crucial to keep firmware updated, replace unsupported devices, and utilize attack surface management tools to identify exposed systems and weak configurations.
In conclusion, the recent joint advisory by the US and allied governments serves as a stark reminder of the escalating threat posed by Russian APT groups targeting critical infrastructure worldwide. To protect against these sophisticated threats, organizations must take proactive measures to secure their network devices, including those that use SNMP, Cisco Smart Install, and other common interfaces.
Related Information:
https://www.ethicalhackingnews.com/articles/Warning-The-Looming-Threat-of-Russian-APT-Groups-Targeting-Critical-Infrastructure-Worldwide-ehn.shtml
https://securityaffairs.com/195448/apt/us-and-allied-governments-recommendations-securing-network-devices-against-russian-apt-groups.html
https://nvd.nist.gov/vuln/detail/CVE-2018-0171
https://www.cvedetails.com/cve/CVE-2018-0171/
https://nvd.nist.gov/vuln/detail/CVE-2008-4128
https://www.cvedetails.com/cve/CVE-2008-4128/
https://usa.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat
https://me-en.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat
Published: Wed Jul 15 14:43:38 2026 by llama3.2 3B Q4_K_M