Russian state-backed hackers have been exploiting an old flaw in Cisco software to gain access to thousands of network devices tied to critical infrastructure, according to the FBI and Cisco. The campaigns, active over the past year, have been linked to the Russian Federal Security Service (FSB) Center 16, one of Moscow’s most established cyber espionage units.
Cisco’s threat research arm, Talos, reported that the hackers—tracked as “Static Tundra”—have been using a vulnerability in the company’s Smart Install feature, first identified seven years ago. Although Cisco issued a patch, many organizations still rely on outdated or unpatched devices, leaving them vulnerable to exploitation.
According to Talos researchers Sara McBroom and Brandon White, the hackers have been collecting configuration files “en masse,” extracting details that could later be used in line with Russian strategic interests. These files can be altered to create persistent access, allowing adversaries to remain hidden in compromised networks for extended periods.
The FBI issued a similar advisory, confirming that thousands of devices connected to U.S. critical infrastructure have been targeted. Investigators noted that in some cases, intruders conducted reconnaissance of industrial control systems, showing a clear interest in protocols tied to utilities and other essential services.
The scope of the campaign is not limited to the United States. Talos reported that organizations across North America, Europe, Asia, and Africa have been affected, particularly within telecommunications, higher education, and manufacturing. Victims appear to have been chosen based on their potential value to Russian government interests.
Once inside a network, the attackers are able to move laterally, compromising additional devices and establishing multiple footholds to avoid detection. This long-term persistence allows them to monitor communications, harvest credentials, and map network structures.
The activity is consistent with past operations attributed to Center 16. The group has been active for at least a decade, with its operatives linked to prior campaigns against the global energy sector. In 2022, the U.S. Department of Justice charged four Russian nationals from the unit with targeting power companies, refineries, and other energy infrastructure between 2012 and 2018.
Moscow has repeatedly denied involvement in cyber espionage, and the Russian embassy in Washington did not respond to recent requests for comment. Nevertheless, Western officials have long described Russian cyber units as persistent threats to both government and private networks worldwide.
Security experts warn that other state-backed actors are likely pursuing similar campaigns. Cisco urged customers to apply available patches or disable the Smart Install feature to mitigate exposure. The company stressed that reliance on end-of-life devices creates an ongoing security gap, especially when attackers are willing to invest in long-term access and surveillance.
The campaign highlights the challenge of defending global infrastructure in an environment where old vulnerabilities remain exploitable years after patches are released. With adversaries targeting systems that underpin daily life, the burden falls on both technology providers and organizations to maintain vigilance, update devices, and close avenues of attack that sophisticated groups continue to exploit.
This image is the property of The New Dispatch LLC and is not licenseable for external use without explicit written permission.
