UK and US agencies have issued a joint advisory to assist organisations in combating malicious activity used by Russian cyber actors to exploit poorly maintained Cisco routers.

APT28, a threat group linked to Russia's military intelligence service, the GRU, has been observed using poorly configured networks and exploiting a known vulnerability to deploy malware and gain access to Cisco routers around the world.

In 2021, a series of reconnaissance attacks were carried out against a small number of European organisations, US government institutions, and approximately 250 Ukrainian victims, with Jaguar Tooth malware then deployed against some targeted devices to enable unauthenticated access.

The advisory, issued by the National Cyber Security Centre (NCSC), a division of GCHQ, as well as the US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), strongly advises organisations to follow mitigation advice to protect themselves against this activity.

This includes installing the Cisco security update that addresses the vulnerability: CVE-2017-6742.

The advisory was issued on the eve of CYBERUK 2023, the UK's flagship cyber security conference, which was held in Northern Ireland for the first time earlier this year.

Paul Chichester, NCSC Director of Operations, said:

“This malicious activity by APT28 presents a serious threat to organisations, and the UK and our US partners are committed to raising awareness of the tactics and techniques being deployed.

“We strongly encourage network defenders to ensure the latest security updates are applied to their routers and to follow the other mitigation steps outlined in the advisory to prevent compromise.”

Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA said:

“With our partners at the NCSC, FBI, and NSA, CISA is urgently focused on sharing actionable information to help organizations identify and mitigate risks posed by sophisticated threat actors like APT28. We encourage all organizations to prioritize adoption of mitigations outlined in our joint advisory and take urgent actions to reduce the likelihood of damaging intrusions.”

In addition to applying the security update, it also encourages organisations to:

• keep devices and networks up to date, and follow advice on how to securely configure relevant protocols
• enforce a strong password policy, which includes avoiding reusing passwords for multiple devices
• use logging tools to record commands executed on network devices - the NCSC has guidance on monitoring and logging

UK organisations should report suspected compromises to the NCSC. Meanwhile, Cisco has published a blog post about the activity.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).