Russian government attackers have been exploiting unpatched and badly-configured Cisco Systems routers since 2021, according to an alert from U.S. and U.K. cybersecurity agencies. The vulnerabilities, which were publicized and patched in 2017, are in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s IOS and IOS XE Software. They could allow an authenticated remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. The threat actor that’s been exploiting these holes for over two years is what threat researchers variously call APT28, Fancy Bear, Strontium, Pawn Storm, the Sednit Gang and Sofacy. But the security agencies say whatever the name it is, it’s almost certainly the intelligence unit of the Russian Military General Staff (GRU). “In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide,” today’s report says. “This included a small number based in Europe, U.S. government institutions, and approximately 250 Ukrainian victims. ”SNMP is designed to allow network administrators to monitor and configure network devices remotely, says the report, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network. “A number of software tools can scan the entire network using SNMP, meaning that poor configuration, such as using default or easy-to-guess community strings, can make a network susceptible to attacks. Weak SNMP community strings, including the default ‘public’, allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces.” The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted. For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware the U.K.’s National Cyber Security Centre calls Jaguar Tooth, which collects device information and exfiltrates over Trivial File Transfer Protocol (TFTP), and also enables unauthenticated backdoor access.