APT28, the hacking arm of Russia’s GRU military intelligence agency has been backdooring Cisco routers by exploiting a remote code execution vulnerability in the Cisco IOS implementation of the simple network management protocol (SNMP), according to a statement by Western security agencies. The malware deployed on compromised routers patches the router’s authentication mechanism to always accept any password for any local user.
“In 2021, APT28 used infrastructure to masquerade simple network management protocol (SNMP) access into Cisco routers worldwide,” the UK National Cyber Security Centre (NCSC) said in a joint advisory with the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US Federal Bureau of Investigation (FBI). “This included a small number based in Europe, US government institutions, and approximately 250 Ukrainian victims.”