ctipilot.ch

Static Tundra

actor · actor:static-tundra

Russian FSB Centre 16 network-device cluster (Cisco Talos: Static Tundra; CrowdStrike/FBI: Berserk Bear/Energetic Bear; Symantec: Dragonfly; Microsoft: Ghost Blizzard) that opportunistically compromises internet-facing routers via default/weak SNMP community strings and Cisco Smart Install (CVE-2018-0171), exfiltrating device configurations over TFTP, across communications, defence, energy, financial, government and healthcare sectors. Detailed in a 19-agency (13-country) joint Cybersecurity Advisory (2026-07-13) and formally attributed by CERT Polska/UK/EU to the destructive 29 December 2025 Poland energy-grid attack. FSB Centre 16 is a parent unit spanning multiple tracked clusters (Static Tundra and, separately, Turla/Secret Blizzard), not a single group.

Aliases: Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard

Coverage timeline
1
first 2026-07-13 → last 2026-07-13
Peak priority
high
1 high
Sources cited
7
6 hosts
Sections touched
1
deep-dive
Co-occurring entities
4
see Related entities below
ATT&CK techniques
17
pinned v19.1 · see below

ATT&CK techniques

17 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Reconnaissance TA0043

T1595.001Active Scanning: Scanning IP Blocks×1

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1595.002Active Scanning: Vulnerability Scanning×1

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Resource Development TA0042

T1583.003Acquire Infrastructure: Virtual Private Server×1

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1584.008Compromise Infrastructure: Network Devices×1

Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1588.005Obtain Capabilities: Exploits×1

Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Initial Access TA0001

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Persistence TA0003

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Privilege Escalation TA0004

T1068Exploitation for Privilege Escalation×1

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Stealth TA0005

T1027Obfuscated Files or Information×1

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Defense Impairment TA0112

T1601.001Modify System Image: Patch System Image×1

Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Credential Access TA0006

T1003OS Credential Dumping×1

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Collection TA0009

T1602.001Data from Configuration Repository: SNMP (MIB Dump)×1

Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1602.002Data from Configuration Repository: Network Device Configuration Dump×1

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1090Proxy×1

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Exfiltration TA0010

T1048Exfiltration Over Alternative Protocol×1

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Impact TA0040

T1485Data Destruction×1

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Story timeline

  1. 2026-07-13FSB Centre 16 (Static Tundra) router-hijacking campaign: 19-agency joint advisory, formal Poland energy-grid attribution and first joint EU/UK cyber sanctions
    deep-dive19-agency advisory details FSB Centre 16 router hijacking via SNMP and Cisco Smart Install as the UK and EU attribute Poland's Dec-2025 grid sabotage

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

attributed activity

Where this entity is cited

  • deep-dive1

Source distribution

  • bleepingcomputer.com2 (29%)
  • blog.talosintelligence.com1 (14%)
  • cert.pl1 (14%)
  • gov.uk1 (14%)
  • media.defense.gov1 (14%)
  • ncsc.gov.uk1 (14%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Static Tundra (1)

2026-07-13 · view entry permalink →

HIGHCVE-2018-0171exploitedNATOA1

FSB Centre 16 (Static Tundra) router-hijacking campaign: 19-agency joint advisory, formal Poland energy-grid attribution and first joint EU/UK cyber sanctions

Background. The FSB Centre 16 network-device cluster is not new — it has a decade-plus public record under the vendor labels Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly and Ghost Blizzard, and Cisco Talos profiled it in August 2025 as "Static Tundra," documenting long-term compromise of unpatched and end-of-life network gear for configuration theft and persistent collection (Cisco Talos, 2025-08-20). What is new is a same-day trio of actions on 2026-07-13: a much fuller TTP disclosure, a formal government attribution of a destructive attack, and the first coordinated EU/UK cyber-sanctions package.

A joint Cybersecurity Advisory carrying 19 authoring and co-sealing agencies across 13 countries — NSA, CISA, FBI and DC3 (US) alongside the cyber and intelligence authorities of Australia, Canada, New Zealand, the UK, Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland and Sweden — describes FSB Centre 16 opportunistically compromising poorly configured routers across communications, defense industrial base, energy, financial services, government (especially state/local), and healthcare sectors (NSA/CISA/FBI joint advisory, 2026-07-13; NCSC-UK, 2026-07-13). The advisory notes these TTPs overlap with Salt Typhoon activity, so the hardening below counters more than one actor.

The primary access vector is not a novel exploit but weak SNMP hygiene. The actors scan internet IP ranges for SNMP agents that accept common or default community strings, then issue spoofed-source SNMP Set-Requests carrying object identifiers that instruct the device to copy its running configuration to a file (commonly config.bkp or output.txt) and transfer it, usually over TFTP, to a leased VPS or a compromised FTP server (joint advisory, 2026-07-13). The advisory names the exact OIDs abused — 1.3.6.1.4.1.9.9.96.1.1 (Cisco Config Copy) and 1.3.6.1.4.1.9.9.96.1.1.1.1.5 (the destination address for the copied config). A stolen configuration frequently discloses further credentials and additional community strings, feeding lateral movement. Talos's profile records the actor guessing or reusing insecure read-write community strings such as public and anonymous (Cisco Talos, 2025-08-20). Secondarily — "occasionally," per the advisory — the actors exploit known Cisco bugs and the Smart Install (SMI) feature, naming CVE-2018-0171 (the Smart Install pre-auth RCE, in CISA KEV since 2021) and CVE-2008-4128 (end-of-life devices only, no patch). Persistence has historically included the SYNful Knock IOS firmware implant.

The Poland grid attribution. On the same day, the UK together with EU member states formally attributed the destructive 29 December 2025 attack on Poland's energy grid to FSB Centre 16 (NCSC-UK, 2026-07-13). CERT Polska's own incident report describes coordinated destructive activity against 30-plus wind and photovoltaic grid-connection substations — RTU, HMI and protection-relay firmware damaged or system files deleted — and a combined heat-and-power plant serving roughly half a million people, where wiper malware was blocked by the operator's EDR before detonation; CERT Polska tied the activity to the Static Tundra / Berserk Bear / Ghost Blizzard / Dragonfly cluster via VPS, router and anonymizing-infrastructure overlap and called it "the first publicly described destructive activity attributed to this activity cluster" (CERT Polska, 2026-01-30). Note the attribution is contested at the cluster-label level: earlier ESET reporting attributed the same DynoWiper attack to the GRU's Sandworm (BleepingComputer, 2026-01-24), and the EU Council statement names FSB Centre 16 as the parent controlling several groups including Turla — so treat "FSB Centre 16" as an umbrella unit rather than a single team.

The sanctions package is the policy layer: the EU designated 9 individuals and 4 entities and the UK designated 24, covering senior GRU figures, the front company IMPULS accused of recruiting hackers for GRU Unit 29155, Lumma Stealer operators, and the disinformation outlet Rybar LLC (UK Government, 2026-07-13; BleepingComputer, 2026-07-13).

Detection. The telemetry classes to prioritise on network gear: network-flow and firewall logs for inbound SNMP Set-Requests (especially with spoofed or unfamiliar source addresses) and for outbound TFTP sessions initiated from a router/switch management interface to non-management destinations; device syslog and AAA/TACACS+ logs for unexpected "config copy" events, new local-account creation, and unexplained drops in logging volume — Talos documents the actor tampering with TACACS+ configuration to blind logging and standing up GRE tunnels to redirect victim traffic (Cisco Talos, 2025-08-20); and IDS rules keyed to inbound SNMP Set-Requests carrying the config-copy OIDs above, as the advisory recommends (joint advisory, 2026-07-13). Baseline NetFlow for the new GRE tunnel endpoints Talos describes.

Defender takeaway. For a Swiss or European CI operator this is a router-hygiene mandate with a live destructive precedent next door. Disable Smart Install where it is not in active use, confirm CVE-2018-0171 is patched, migrate management SNMP to v3 with authPriv and disable SNMPv1/v2c (or, where legacy SNMP is unavoidable, replace every default/weak community string and enforce read-only), restrict all management protocols to known stations via out-of-band ACLs, use Cisco password hashing type 8 (never 0/4/7), and treat the device configuration held in your management system — not the device itself — as the source of truth so a tampered config is detectable.

Triage: legitimate network-management stations poll SNMP on a predictable cadence from a known IP set, almost always read-only GET/GET-NEXT. The signal is a write (SNMP Set-Request) — particularly one carrying the config-copy OIDs — from a source outside the management range or with an inconsistent/spoofed source address, followed by an outbound TFTP transfer from the device; either alone is weak, the sequence config-write-then-TFTP-egress is the discriminator.

The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication

NSA / CISA / FBI / DC3 joint Cybersecurity Advisory (19 agencies, 13 countries) 2026-07-13

The UK together with EU member states has also today formally attributed the December 2025 attack on Poland's energy grid to Russia's FSB Centre 16.

NCSC-UK 2026-07-13

This is, however, the first publicly described destructive activity attributed to this activity cluster.

CERT Polska 2026-01-30

This reckless attack failed but could have caused 500,000 citizens to lose electricity in the depths of winter.

UK Government (FCDO) 2026-07-13
threat13 Jul 12:40Zmulti-sourceOpen finding ↗