APT28 Exploits Cisco Router Vulnerabilities for Long-Term Espionage

Wednesday, March 11, 2026 at 09:00 AM UTC·Source: UK NCSC / NSA

Updated: Thursday, March 12, 2026 at 07:00 AM UTC

Executive Summary

UK NCSC warns APT28 exploiting Cisco router vulnerabilities to establish persistent espionage infrastructure across European government networks.

Analysis

The UK National Cyber Security Centre and US NSA issued a joint advisory warning that APT28 has been exploiting CVE-2026-20145 and older Cisco IOS vulnerabilities to install GRU-developed malware on routers used by European government agencies. The malware, named Jaguar Tooth, enables undetected SNMP-based data exfiltration. Campaign has been active for at least 6 months.

Timeline

Discovered

Sep 1, 2025

Exploitation Detected

Sep 1, 2025

Published

Mar 11, 2026

Indicators of Compromise (1)

CVE (1)

CVE-2026-20145

NVD MITRE CVE

Source Attribution

Originally published by UK NCSC / NSA on Mar 11, 2026. Verified by: UK NCSC, NSA, CISA.

Related Threats

CRITICALApt

7 tips for accelerating cyber incident recovery

Despite strong and redundant defenses, enterprises remain vulnerable to a wide range of cyberattacks. And because attacks — and cyber incidents — are inevitable, developing an incident response and recovery process that’s quick, comprehensive, and coordinated is essential. Expediting incident recovery time is critical because the longer an outage persists, the more costs, risk, and business disrup

3h agoCSO Online

LOWApt

5 Steps to Managing Shadow AI Tools Without Slowing Down Employees

Many employees already use shadow AI tools at work without security review. Adaptive Security breaks down how teams can build practical AI governance without adding friction for employees. [...]

17h agoBleepingComputer

MEDIUMApt

Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access

The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB)

3d agoThe Hacker News