US Offers $10M Bounty For FSB Hackers Who Exploited Cisco Vulnerability To Attack Critical Infrastructure

Cybersecurity

The United States government has announced a reward of up to $10 million for information leading to the identification or location of three Russian intelligence officers. The reward is offered through the Department of State’s Rewards for Justice program and targets members of the Russian Federal Security Service (FSB) accused of conducting extensive malicious cyber campaigns against U.S. critical infrastructure.

FBI Warning and Exploits

The Federal Bureau of Investigation (FBI) has issued a warning detailing the activities of the FSB’s Center 16 unit. The FBI has detected these state-sponsored hackers exploiting a known vulnerability in Cisco networking equipment to infiltrate computer networks globally. The three officers identified in the reward posting are Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov.

In addition to their attacks on U.S. targets, the group is accused of targeting over 500 foreign energy companies across 135 countries.

Technical Details of the Exploitation

The FSB cyber actors have been exploiting CVE-2018-0171, a critical vulnerability in the Cisco Smart Install (SMI) protocol. The hackers specifically target end-of-life networking devices that no longer receive security updates. By leveraging the Simple Network Management Protocol (SNMP) and the unpatched Cisco vulnerability, the group collected configuration files from thousands of networking devices associated with U.S. entities in critical sectors. Once inside the networks, the actors modified device configurations to create unauthorized backdoors.

This persistent access facilitated detailed reconnaissance, focusing on protocols and applications commonly used in industrial control systems (ICS). This indicates a significant interest in systems managing essential services, such as power grids, water treatment plants, and manufacturing facilities.

Background and Response

This FSB hacking unit is known by various names, including “Berserk Bear,” “Dragonfly,” and “Static Tundra,” and has been active for over a decade. The group has a long history of compromising networking devices worldwide, often targeting equipment using legacy, unencrypted protocols like SMI and older versions of SNMP. Their tactics include deploying custom malware, such as the tool publicly identified as “SYNful Knock” in 2015, designed to compromise specific Cisco devices.

In response to this persistent threat, U.S. federal agencies and private sector partners have issued multiple alerts. Cisco’s Talos intelligence group has also published its analysis of the threat actor. The Rewards for Justice program is now soliciting tips through a secure Tor-based channel, offering potential relocation in addition to the multimillion-dollar reward for information that helps disrupt these ongoing cyber operations.