Pierluigi Paganini
September 04, 2025
The US Department of State is offering up to $10M for info on FSB officers Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, accused of hacking US infrastructure and over 500 energy firms.
The officers aimed at obtaining and maintaining “unauthorized persistent access to hundreds of U.S. and international energy companies, thereby enabling the Russian government to disrupt and damage such facilities.”
“He and his co-conspirators targeted more than 380 foreign energy-sector companies in 135 countries. Targeted companies included U.S. and foreign global oil and gas firms, utility and electrical grid companies, nuclear power plants, renewable energy companies, consulting and engineering groups, and advanced technology firms.” reads the page on Rewards for Justice website published for each of officer.
The three officers are all members of the FSB’s Center 16 unit (aka Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti).
In August 2021, the US DoJ charged the three FSB officers (Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov).
Between 2012 and 2017, the Dragonfly APT conducted multiple attacks targeting ICS or Supervisory Control and Data Acquisition (SCADA) systems used in the energy industry, including oil and gas firms, nuclear power plants, as well as utility and power transmission companies.
According to the indictment, the campaign against the energy sector involved two phases. In the first phase, which took place between 2012 and 2014, the nation-state actor was tracked as “Dragonfly” or “Havex” and engaged in a supply chain attack, compromising OT network system manufacturers and software providers deploying the “Havex” implant.
The attackers also launched spear-phishing and “watering hole” attacks that allowed them to install malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.
In the second phase, which took place between 2014 and 2017, the APT group tracked as “Dragonfly 2.0” focused on more targeted attacks on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. The group targeted more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. Government agencies such as the Nuclear Regulatory Commission.
In August 2025, the FBI warned that Russia-linked threat actor Static Tundra exploits Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to target organizations in the United States and globally.
CVE-2018-0171 (CVSS score of 9.8) affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software. The flaw could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.
“The Federal Bureau of Investigation (FBI) is warning the public, private sector, and international community of the threat posed to computer networks and critical infrastructure by cyber actors attributed to the Russian Federal Security Service’s (FSB) Center 16.” reads the alert issued by the FBI. “The FBI detected Russian FSB cyber actors exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.”
Static Tundra is a Russia-linked actor linked to the FSB’s Center 16 unit that has been active for over a decade. The cyber espionage group specializes in compromising network devices for long-term intelligence gathering operations.
Over the past year, the FBI observed FSB’s Center 16, aka Berserk Bear/Dragonfly, collecting configs from thousands of U.S. critical infrastructure devices. The hackers altered some configs for backdoor access and reconnaissance, showing interest in ICS-related protocols. Active for over a decade, they exploit weak legacy protocols (SMI, SNMP v1/v2) and deploy tools like the Cisco “SYNful Knock” malware.
According to Talos researchers, victims are primarily based in Ukraine and allied countries,
“The group actively exploits a seven-year-old vulnerability (CVE-2018-0171), which was patched at the time of the vulnerability publication, in Cisco IOS software’s Smart Install feature, targeting unpatched and end-of-life network devices to steal configuration data and establish persistent access.” reads a report published by Cisco Talos.
“Primary targets include organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe, with victims selected based on their strategic interest to the Russian government.”
Static Tundra exploits unpatched Cisco IOS/IOS XE devices via CVE-2018-0171 and weak SNMP strings to gain persistent access, exfiltrate configs, and support long-term espionage. Using bespoke tools, SYNful Knock implants, and GRE tunnels, they prioritize stealth, persistence, and intelligence gathering.
SYNful Knock is a modular, stealthy router firmware backdoor that ensures persistence, evades detection, and uses non-standard packets for authentication. The backdoor was first detailed in 2015 by Mandiant.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FSB officers)
Security / September 03, 2025
