US-CERT- APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers

[Netwörkheäd]

APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers

[html]

APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.

Overview and Context

The UK National Cyber Security Centre (https://www.ncsc.gov.uk/" title="The National Cyber Security Centre">NCSC), the US National Security Agency (https://www.nsa.gov/" title="National Security Agency/Central Security Service">NSA), US Cybersecurity and Infrastructure Security Agency (https://www.cisa.gov/" title="Cybersecurity & Infrastructure Security Agency">CISA) and US Federal Bureau of Investigation (https://www.fbi.gov/" title="Federal Bureau of Investigation">FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28's exploitation of Cisco routers in 2021.

We assess that https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed" title="Reckless campaign of cyber attacks by Russian military intelligence service exposed">APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.

Download the UK PDF version of this report:

   

    APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers
    (PDF,       366.88 KB
  )
 

Download the US PDF version of this report:

   

    APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers
    (PDF,       366.25 KB
  )
 

Previous Activity

The NCSC has previously attributed the following activity to APT28:

• https://www.gov.uk/government/news/uk-enforces-new-sanctions-against-russia-for-cyber-attack-on-german-parliament" title="UK enforces new sanctions against Russia for cyber attack on German Parliament">Cyber attacks against the German parliament in 2015, including data theft and disrupting email accounts of German Members of Parliament (MPs) and the Vice Chancellor


• https://www.gov.uk/government/speeches/minister-for-europe-statement-attempted-hacking-of-the-opcw-by-russian-military-intelligence" title="Minister for Europe statement: attempted hacking of the OPCW by Russian military intelligence">Attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK

For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure