HIGHApt
Verified
Europe

APT28 Exploits Cisco Router Vulnerabilities for Long-Term Espionage

·Source: UK NCSC / NSA

Updated:

Executive Summary

UK NCSC warns APT28 exploiting Cisco router vulnerabilities to establish persistent espionage infrastructure across European government networks.

Analysis

The UK National Cyber Security Centre and US NSA issued a joint advisory warning that APT28 has been exploiting CVE-2026-20145 and older Cisco IOS vulnerabilities to install GRU-developed malware on routers used by European government agencies. The malware, named Jaguar Tooth, enables undetected SNMP-based data exfiltration. Campaign has been active for at least 6 months.

Timeline

Discovered
Sep 1, 2025
Exploitation Detected
Sep 1, 2025
Published
Mar 11, 2026

Indicators of Compromise (1)

CVE (1)
CVE-2026-20145
Source Attribution

Originally published by UK NCSC / NSA on Mar 11, 2026. Verified by: UK NCSC, NSA, CISA.

Related Threats

MEDIUMApt

AdaptHealth says attackers sweet-talked their way into cloud systems and stole patient data

Connor Jones reports: AdaptHealth says attackers used social engineering to breach its systems and steal sensitive patient data, including passwords associated with insurance billing. The medical equipment company disclosed the attack to the Securities and Exchange Commission (SEC) on Thursday, noting that attackers accessed internal patient management systems, document storage platforms, and exte

DataBreaches.net
MEDIUMApt

FBI Disrupts Widely Used NetNut Residential Proxy Service

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/fbi-disrupts-widely-used-netnut-residential-proxy-service-image_small-6-a-32154.jpg" align=right hspace=4><b>2 Million Home Devices, Including Routers and Smart TVs, Tied to NetNut Botnet</b><br>The FBI and private-sector partners have disrupted NetNut, one of the world's biggest and most popular residential proxy networks. Google

Bank Info Security
MEDIUMApt

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. "Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations," Kaspersky said in a technical analysis published today. "

The Hacker News