The U.S. and U.K. governments have reported that APT28, a hacking group sponsored by the Russian military intelligence, is utilizing a six-year-old vulnerability in Cisco routers to deploy malware and conduct surveillance.

Recent attacks by APT28 have targeted Cisco routers in the U.S., Ukraine, and several European countries in 2021.

Despite being a six-year-old vulnerability, the exploited flaws still pose a substantial risk, with Cisco expressing deep concern over the rising rate of high-sophistication attacks on network infrastructure.

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, and the UK’s National Cyber Security Center, released a joint advisory detailing how Russia-backed hackers exploited vulnerabilities in Cisco routers throughout 2021.

The advisory said the hackers also hacked “approximately 250 Ukrainian victims,” which the agencies did not name.

The primary targets were “European organizations and U.S. government institutions.“

APT28, also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a state-sponsored hacking group believed to be linked to Russia’s General Staff Main Intelligence Directorate (GRU).

The group is known for conducting cyber espionage by exploiting zero-day vulnerabilities and has been attributed to a variety of attacks on European and U.S. interests.

As per BleepingComputer, APT28 hackers have been exploiting an outdated SNMP vulnerability in Cisco IOS routers to distribute their custom malware called ‘Jaguar Tooth.’

This malware is injected directly into the memory of Cisco routers that run on older firmware versions.

Once the malware is installed, it steals information from the router and creates an unauthenticated backdoor access to the device.

Cisco revealed in a blog post on Tuesday that it had observed several activities carried out by threat actors on compromised infrastructure devices.

The activities include installing malware, hijacking DNS traffic, modifying device configurations to gain further access, modifying memory to reintroduce patched vulnerabilities, capturing traffic, and using the devices for attack delivery or as command and control (C&C) platforms.

According to Matt Olney, the director of threat intelligence and interdiction at Cisco, network devices such as route/switch are generally stable, not regularly assessed from a security standpoint, inadequately patched, and offer extensive network visibility.