APT28, a state-sponsored hacking group operated by Russian military intelligence, is exploiting a six-year-old vulnerability in Cisco routers to deploy malware and carry out surveillance, according to the U.S. and U.K. governments.
In a joint advisory issued on Tuesday, U.S. cybersecurity agency CISA along with the FBI, the NSA and the U.K.’s National Cyber Security Center detail how the Russia-backed hackers exploited Cisco router vulnerabilities throughout 2021 with the aim of targeting European organizations and U.S. government institutions. The advisory said the hackers also hacked “approximately 250 Ukrainian victims,” which the agencies did not name.
APT28, also known as Fancy Bear, is known for carrying out a range of cyberattacks, espionage and hack-and-leak information operations on behalf of the Russian government.
According to the joint advisory, the hackers exploited a remotely exploitable vulnerability patched by Cisco in 2017 to deploy a custom-built malware dubbed “Jaguar Tooth,” which is designed to infect unpatched routers.
To install the malware, the threat actors scan for internet-facing Cisco routers using a default or easy-to-guess SNMP community string.
SNMP, or Simple Network Management Protocol, allows network administrators to remotely access and configure routers in place of a username or password, but can also be misused to obtain sensitive network information.
Once installed, the malware exfiltrates information from the router and provides stealthy backdoor access to the device, the agencies said.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Matt Olney, director of threat intelligence at Cisco Talos, said in a blog post this campaign is an example of “a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.”
“Cisco is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure — that we have observed and have seen corroborated by numerous reports issued by various intelligence organizations — indicating state-sponsored actors are targeting routers and firewalls globally,” Olney said.
Olney added that in addition to Russia, China has also been spotted attacking network equipment in several campaigns.
Earlier this year, Mandiant reported that Chinese state-backed attackers exploited a zero-day vulnerability in Fortinet devices to carry out a series of attacks on government organizations.
