APT28, a state-sponsored hacking group operated by Russian army intelligence, is exploiting a six-year-old vulnerability in Cisco routers to deploy malware and perform surveillance, in line with the U.S. and U.Okay. governments.

In a joint advisory issued on Tuesday, U.S. cybersecurity company CISA together with the FBI, the NSA, and the U.Okay.’s Nationwide Cyber Safety Middle element how the Russia-backed hackers exploited Cisco router vulnerabilities all through 2021 with the purpose of concentrating on European organizations and U.S. authorities establishments. The advisory mentioned the hackers additionally hacked “roughly 250 Ukrainian victims,” which the businesses didn’t identify.

APT28, also referred to as Fancy Bear, is understood for finishing up a variety of cyberattacks, espionage, and hack-and-leak information operations on behalf of the Russian authorities.

Based on the joint advisory, the hackers exploited a remotely exploitable vulnerability patched by Cisco in 2017 to deploy a custom-built malware dubbed “Jaguar Tooth,” which is designed to contaminate unpatched routers.

To put in the malware, the menace actors scan for internet-facing Cisco routers utilizing default or easy-to-guess SNMP neighborhood string.

SNMP, or Easy Community Administration Protocol, permits community directors to remotely entry and configure routers rather than a username or password, however may also be misused to acquire delicate community data.

As soon as put in, the malware exfiltrates data from the router and gives stealthy backdoor entry to the gadget, the businesses mentioned.

Matt Olney, director of menace intelligence at Cisco Talos, mentioned in a blog post this marketing campaign is an instance of “a wider pattern of refined adversaries concentrating on networking infrastructure to advance espionage aims or pre-position for future harmful exercise.”

“Cisco is deeply involved by a rise within the charge of high-sophistication assaults on community infrastructure — that we’ve noticed and have seen corroborated by quite a few experiences issued by numerous intelligence organizations — indicating state-sponsored actors are concentrating on routers and firewalls globally,” Olney mentioned.

Olney added that along with Russia, China has additionally been noticed attacking community tools in a number of campaigns.

Earlier this yr, Mandiant reported that Chinese language-state backed attackers exploited a zero-day vulnerability in Fortinet gadgets to hold out a collection of assaults on authorities organizations.