APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers

APT28 accesses improperly maintained Cisco routers and deploys malware on unpatched units working with CVE-2017-6742.

Overview and Context

The British isles Countrywide Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Stability Company (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to deliver details of tactics, approaches and procedures (TTPs) related with APT28’s exploitation of Cisco routers in 2021.

We assess that APT28 is virtually definitely the Russian Normal Team Primary Intelligence Directorate (GRU) 85th exclusive Company Centre (GTsSS) Military services Intelligence Unit 26165. APT28 (also regarded as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly qualified threat actor.

Obtain the United kingdom PDF variation of this report:

Obtain the US PDF model of this report:

Prior Action

The NCSC has earlier attributed the following exercise to APT28:

For far more info on APT28 activity, see the advisory Russian Condition-Sponsored and Criminal Cyber Threats to Crucial Infrastructure and Russian GRU Conducting Worldwide Brute Pressure Marketing campaign to Compromise Enterprise and Cloud Environments.

As of 2021, APT28 has been observed working with commercially out there code repositories, and publish-exploit frameworks these as Empire. This integrated the use of PowerShell Empire, in addition to Python variations of Empire.


Use of SNMP Protocol to Obtain Routers

In 2021, APT28 utilized infrastructure to masquerade Basic Network Administration protocol (SNMP) obtain into Cisco routers worldwide. This included a tiny quantity based mostly in Europe, US government institutions and around 250 Ukrainian victims.

SNMP is made to enable community directors to keep an eye on and configure community gadgets remotely, but it can also be misused to acquire sensitive community data and, if vulnerable, exploit gadgets to penetrate a community.

A selection of application applications can scan the full community making use of SNMP, this means that inadequate configuration this sort of as applying default or effortless-to-guess group strings, can make a network susceptible to attacks.

Weak SNMP neighborhood strings, which includes the default “general public,” authorized APT28 to attain entry to router data. APT28 despatched additional SNMP instructions to enumerate router interfaces. [T1078.001]

The compromized routers were configured to acknowledge SNMP v2 requests. SNMP v2 doesn’t assistance encryption and so all details, such as neighborhood strings, is sent unencrypted.

Exploitation of CVE-2017-6742

APT28 exploited the vulnerability CVE-2017-6742 (Cisco Bug ID: CSCve54313) [T1190]. This vulnerability was first announced by Cisco on 29 June 2017, and patched software program was manufactured accessible. 

Cisco’s released advisory provided workarounds, this kind of as limiting access to SNMP from trustworthy hosts only, or by disabling a quantity of SNMP Management Information and facts bases (MIBs).

Malware Deployment

For some of the specific products, APT28 actors applied an SNMP exploit to deploy malware, as specific in the NCSC’s Jaguar Tooth Malware Examination Report. This malware acquired even more unit info, which is exfiltrated about trivial file transfer protocol (TFTP), and enabled unauthenticated access through a backdoor.

The actor attained this machine information and facts by executing a quantity of Command Line Interface (CLI) commands via the malware. It involves discovery of other products on the community by querying the Tackle Resolution Protocol (ARP) table to get hold of MAC addresses. [T1590]

Indicators of Compromise (IoCs)

Be sure to refer to the accompanying Malware Investigation Report for indicators of compromise which may well assist to detect this activity.


This advisory has been compiled with regard to the MITRE ATT&CK® framework, a globally accessible know-how foundation of adversary practices and strategies based on actual-world observations.

For thorough TTPs, see the Malware Examination Report.





Initial Entry


Exploit Community-facing Software.

APT28 exploited default/well-known neighborhood strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).

First Entry


Valid Accounts: Default Accounts.

Actors accessed victim routers by making use of default community strings these types of as “public.”



Collect Victim Community Info

Accessibility was received to accomplish reconnaissance on target devices. Further element of how this was achieved in offered in the MITRE ATT&CK segment of the Jaguar Tooth MAR.


APT28 has been recognized to accessibility vulnerable routers by applying default and weak SNMP local community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as revealed by Cisco.

TTPs in this advisory may perhaps even now be made use of in opposition to vulnerable Cisco devices. Businesses are recommended to follow the mitigation tips in this advisory to defend in opposition to this action.


Uk corporations should report any suspected compromises to the NCSC.
US organisations should get in touch with CISA’s 24/7 Operations Centre at report@cisa.gov or (888) 282-0870.



  • Patch devices as advised by Cisco. The NCSC also has common steering on controlling updates and keeping program up to day.
  • Do not use SNMP if you are not essential to configure or take care of units remotely to reduce unauthorized people from accessing your router.
    • If you are required to regulate routers remotely, set up permit and deny lists for SNMP messages to reduce unauthorized buyers from accessing your router.
  • Do not allow unencrypted (i.e., plaintext) administration protocols, these kinds of as SNMP v2 and Telnet. Where encrypted protocols aren’t possible, you ought to carry out any management actions from exterior the business by means of an encrypted digital personal network (VPN), exactly where both equally ends are mutually authenticated.
  • Enforce a robust password plan. Really do not reuse the identical password for a number of products. Every machine should have a unique password. Where by possible, avoid legacy password-based mostly authentication and implement two-element authentication based mostly on public-non-public essential.
  • Disable legacy unencrypted protocols these kinds of as Telnet and SNMP v1 or v2c. Exactly where probable, use fashionable encrypted protocols such as SSH and SNMP v3. Harden the encryption protocols based mostly on current very best safety practice. The NCSC strongly advises homeowners and operators to retire and exchange legacy equipment that can’t be configured to use SNMP v3.
  • Use logging applications to file instructions executed on your network gadgets, these types of as TACACS+ and Syslog. Use these logs to instantly highlight suspicious situations and maintain a report of situations to guidance an investigation if the device’s integrity is ever in query. See NCSC assistance on checking and logging.
  • If you suspect your router has been compromised:
    • Abide by Cisco’s assistance for verifying the Cisco IOS picture.
    • Revoke all keys affiliated with that router. When changing the router configuration be guaranteed to build new keys rather than pasting from the old configuration.
    • Switch the two the ROMMON and Cisco IOS graphic with an graphic that has been sourced right from the Cisco web page, in situation third bash and inside repositories have been compromised.
  • NSA’s Network Infrastructure guide presents some best procedures for SNMP.
  • See also the Cisco IOS hardening information and Cisco’s Jaguar Tooth blog.

This item is presented topic to this Notification and this Privacy & Use policy.

Fibo Quantum