US CISA, FBI, NSA, UK NCSC and Cisco warn about attacks on routers by Russia-linked actors
APT28 is a Russia-affiliated threat actor also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy.
The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, the UK National Cyber Security Centre (NCSC), and technology firm Cisco released advisories highlighting attacks on routers believed to have been exploited by hackers group APT28.
APT28, allegedly linked to Russia’s General Staff Main Intelligence Directorate’s (GRU) targeted Cisco router vulnerabilities throughout 2021, attacking ‘a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.’
APT28 exploited a vulnerability CVE-2017-6742 to access the Simple Network Management protocol (SNMP), which allows network administrators to monitor and configure network devices remotely. Poor configuration, such as using default settings, allowed APT28 to gain access to router information. For some of the targeted devices, APT28 deployed malware, which allowed them to obtain further device information and backdoor access.
Previously, the NCSC attributed attacks on the German parliament in 2015 and the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018 to APT28.