404 Media

2025-08-19 14:04:51

How Tea’s Founder Convinced Millions of Women to Spill Their Secrets, Then Exposed Them to the World

On March 16, 2023, Paola Sanchez, the founder and administrator of Are We Dating the Same Guy?, a collection of Facebook groups where women share “red flags” about men, received a message from Christianne Burns, then fiancée of Tea CEO and founder Sean Cook.

“We have an app ready to go called ‘Tea - Women’s Dating Community’, that could be a perfect transition for the ‘Are we dating the same guy’ facebook groups since it sounds like those are on their way under… Tea has all the safety measures that Facebook lacked and more to ensure that only women are in the group,” Burns said. “We are looking for a face and founder of the app and because of your experience, we think YOU will be the perfect person! This can be your thing and we are happy to take a step back and let you lead all operations of the product.”

The Tea app, much like the Are We Dating the Same Guy Facebook groups, invites women to join and share red flags about men to help other women avoid them. In order to verify that every person who joined the Tea app was a woman, Tea asked users to upload a picture of their ID or their face. Tea was founded in 2022 but largely flew under the radar until July this year, when it reached the top of the Apple App Store chart, earned glowing coverage in the media, and claimed it had more than 1.6 million users.

Burns’ offer to make Sanchez the “face” of Tea wasn't the first time she had reached out to her, but Sanchez never replied to Burns, despite multiple attempts to recruit her. As it turned out, Tea did not have all the “safety measures” it needed to keep women safe. As 404 Media first reported, Tea users’ images, identifying information, and more than a million private conversations, including some about cheating partners and abortions, were compromised in two separate security breaches in late July. The first of these breaches was immediately abused by a community of misogynists on 4chan to humiliate women whose information was compromised.

A 404 Media investigation now reveals that after Tea failed to recruit Sanchez as the face of the app and adopt the Are We Dating the Same Guy community, Tea shifted tactics to raid those Facebook groups for users. Tea paid influencers to undermine Are We Dating the Same Guy and created competing Facebook groups with nearly identical names. 404 Media also identified a number of seemingly hijacked Facebook accounts that spammed the real Are We Dating The Same Guy groups with links to Tea app.

404 Media’s investigation also discovered a third security breach which exposed the personal data of women who were paid to promote the app.

“Since first creating these [Are We Dating The Same Guy] groups, I have avoided speaking to the media as much as possible because these groups require discretion and privacy in order to operate safely and best protect our members,” Sanchez told 404 Media. “However, recent events have led me to decide to share some concerning practices I’ve witnessed, including messages I received in the past that appear to contradict some of the information currently being presented as fact.”

Burns is no longer with Cook or involved with Tea, and she did not respond to multiple requests for comment. But messages from Burns to Sanchez show that Cook changed his story about why he created Tea after they broke up. 404 Media also talked to a former Tea employee who said she only knew Burns as “Tara,” a persona that also exists in the Tea app and on Facebook as an official representative of the Tea app. This employee said that when Burns left the company, Cook took over the persona and communicated with other Tea users as if he was Tara.

Overall, our reporting shows that while Cook said he built Tea to “protect women,” he repeatedly put them at risk and tried to replace a grassroots movement started by a woman who declined to help him. As one woman who worked for him at Tea told us: “his [Cook’s] motive is money, not actually to protect people.”

Tea did not directly answer a list of specific questions regarding 404 Media’s findings and the facts presented in this article. Instead, it sent us the following statement:

“Building and scaling an app to meet the demand we’ve seen is a complex process. Along the way, we’ve collaborated with many, learned a great deal and continue to improve Tea,” a Tea spokesperson said. “What we know, based on the fact that over 7 million women now use Tea, with over 100,000 new sign ups per day, is that a platform to help women navigate the challenges of online dating has been needed for far too long. As one of the top apps in the U.S. App Store, we are proud of what we’ve built, and know that our mission is more urgent than ever. We remain committed to evolving Tea to meet the needs of our growing community every day.”

How Tea Tried to Recruit a Female “Face” for the App

Sanchez started the first Are We Dating The Same Guy Facebook group in 2022 after her terrible experiences dating. The basic premise—a space for women to share information about men with other women—has existed in various forms before, but Are We Dating The Same Guy quickly became an online phenomenon. Today, Are We Dating The Same Guy is comprised of more than 200 different Facebook groups dedicated to different cities across the U.S. and Canada and has more than 7 million members. The groups have many volunteer moderators, but Sanchez is still the administrator for most of them.

Women in the groups, who can also post anonymously, share a wide range of experiences, from relatively benign complaints about men they didn’t like, to serious accusations of infidelity and physical assault.

The popularity of Are We Dating The Same Guy groups is evidence that its members find them useful, but that popularity has come with a cost. Sanchez has become increasingly cautious after several attempts at retaliation from disgruntled men who are organizing on Telegram to dox women in the group and at least one lawsuit. In that case, a man accused Are We Dating The Same Guy of libel after a user in the Chicago group called him “clingy” and a “psycho.” Sanchez also said she had a rock thrown through the window of her family’s home by a man who wanted to stop Are We Dating The Same Guy, that she pays for a service to wipe her personal information from the internet, and that she generally keeps a low profile. This is the first time she has talked to the press.

By the time she was first approached by Burns in October, 2022, Sanchez was suspicious of Tea’s interest in Are We Dating The Same Guy because of some of the negative attention the groups already got.

“I’m a huge fan of all the work you're doing and I think it will have an ENORMOUS and important benefit on the lives of women,” Burns said in a Facebook message to Sanchez on October 25, 2022. At the time, Burns’ Facebook profile picture was a photo of her and Cook smiling. “My fiance and I have been working on a similar project due to my own dating woes and thought you’d be the perfect person to collaborate with on it.”

This is an entirely different origin story than the one Cook tells about Tea today. On Linkedin, Tea’s site, and interviews, Cook says that he “launched Tea after witnessing his mother’s terrifying experience with online dating—not only being catfished but unknowingly engaging with men who had criminal records.”

Before starting Tea, Cook worked at a couple of tech companies in San Francisco, including Salesforce, where he held a “director” title and rapped and made songs about Salesforce products during presentations he shared on Linkedin.

0:00
/3:59
1×

A video Sean Cook uploaded to Linkedin

There is no mention of Burns on the Tea site, but in 2022 she persistently asked Sanchez to join Tea.

In addition to messaging her on Patreon and Facebook, on December 2, Burns sent Sanchez $25 on Venmo along with a message thanking Sanchez for her work. “Sent you a PM on Facebook re: Business collab when you get a chance! 😊” On December 7, 2022 Burns sent Sanchez $15 on buymeacoffee.com along with a message about a “business opportunity,” and “an app with a similar concept to the facebook groups you manage that I would love to collaborate with you on!”

In April2023, after Sanchez didn’t respond to Tea’s requests, Are We Dating The Same Guy group admins started banning a set of Facebook accounts posting links to the Tea app over and over again. For example, Are We Dating The Same Guy moderators banned one Facebook user named Crystal Lee from 25 groups across the country after the account repeatedly encouraged members to use Tea and suggested that information about the men they’re asking about was available there. Lee’s account was clearly hijacked from a woman with a different name sometime around 2016. While the account name is Crystal Lee, the name in the URL for her page is Kimberly Ritchart. I found Richart’s new Facebook account, where her first post in 2016 says she lost access to her original account. 404 Media couldn’t confirm who was in control of the account, and saw no evidence that Tea was behind it, but activity from similarly hijacked accounts indicate that there was an organized effort to stealthily promote the Tea app in the Are We Dating The Same Guy groups.

Two other Facebook accounts, Norma Warner and Morgan Ward, were banned from 23 groups and five groups respectively for spamming Tea app promotions. Warner and Ward also shared identical replies two weeks apart. “If I remember correctly, I think he’s been posted to Tea. I maybe [sic] mistaking him for someone else but looks pretty familiar,” both replies said in response to different posts in different groups.

Veronica Marz told me she was hired in April 2024 to be Tea’s partnerships manager. Her job was to manage the affiliate program that would pay people $1 per user who signed up to Tea via their unique affiliate link. She also moderated a number of groups named “Are We Dating the Same Guy | Tea App” for different cities, which were started by and owned by the Tea app and could obviously confuse Facebook users. Marz also reached out to admins of the real Are We Dating The Same Guy groups to ask if they’d be willing to join the affiliate program.

While reporting this story, 404 Media discovered that Tea’s data about the affiliate program, including who signed up for it, their real name, how much they have been paid, their emails, phone numbers, Venmo accounts, and charities they wanted to donate to if they didn’t want the money, were left exposed online. All a hacker or other third party had to do to view all of this data was add “/admin” to the public Tea affiliate site’s URL. Tea turned off this site and the affiliate program entirely after 404 Media reached out for comment for this article on August 13.

On December 1, 2024, Marz noticed an account named Nicole Li who was spamming Tea app promotions in one of the Facebook groups she managed for Tea as part of her job. Li was not part of the affiliate program that Marz managed, and unbeknownst to Marz, moderators of the original Are We Dating The Same Guy groups would eventually ban the Li account later. At that point, Marz was reporting directly to Cook, and she flagged the account to him because it was suspicious and spamming several groups at the same time.

“Sean uses that account to communicate directly with users on the app, but people think they are speaking to someone actually named Tara."

“Just wanted to check and see if this person was working with the Tea app?,” Marz said in a text to Cook along with a screenshot of the account seen by 404 Media. “I’ve noticed that they’ve joined all the groups regardless of location and they’ve been promoting the app, but they aren’t a part of the affiliate program that I saw.”

Cook replied: “Not sure what’s going on there but as long as they’re not bothering anyone, I guess let’s just let them do their thing!”

All of the Facebook accounts that spammed Tea promotions were either deactivated or did not respond to our request for comment. None of the accounts were officially part of Tea’s affiliate program, according to the exposed data.

404 Media has seen several messages from Are We Dating the Same Guy Facebook group members and moderators confused about whether the Tea app was the official Are We Dating The Same Guy app, and whether Sanchez was affiliated with it. Several people also wondered if the Tara persona, which reached out to them on Facebook, was associated with Tea or if Sanchez was behind it. One review of the Tea app on the Google Play Store from January, 2024 also seemed confused and disappointed by the app.

“A girl in a FB group referred me (I think she was actually advertising 🤷),” the review said. “She called it a free app. It’s not free [...] The fb groups should have raised MORE THAN ENOUGH to cover app costs that are referred to in other reviews [...] I find this gross. Maybe I’ll come around or be back, but for now I’ll stick with fb.”

Marz also told me that several users in the Tea-owned Facebook groups were confused, and thought that they were in the original Are We Dating The Same Guy groups owned by Sanchez.

“Maybe five to seven people in different groups asked me about Paola Sanchez, and I had to explain to them, like, ‘Hey, this is not Paola’s group. This group is owned by the Tea app,’” she told me. “I had to explain to them the difference between the two.”

Tea’s promotion strategy clearly managed to poach and confuse some members of the Are We Dating The Same Guy community and get them to join the app. Later, its strategy was to undermine Are We Dating The Same Guy directly.

Today, Tea’s website credits an influencer named Daniella Szetela as helping to widely promote Tea: “One day while scrolling, Sean discovered a viral creator, Daniella, whose content resonated with millions of women—and saw an opportunity to bring that same energy to Tea. What began as a simple idea quickly turned into a social media movement.” The site says Cook was so impressed with her voice and following, he made her “Head of Socials.” A March, 2025 archive of the same page on Tea’s site tells the same story, but at the time Szetela’s title was “Chief Female Officer.”

“Together, Sean and Daniella have transformed Tea into more than an app—it’s a movement,” Tea’s site says.

In September 2024 Tea started posting videos to its official TikTok and Instagram accounts named @TheTeaPartyGirls. Some of the videos are of Szetela showing the app and talking about how great it is. Other videos are made to look like they’re coming from other Tea users, but in reality are produced by a company called SG Social Branding, which describes itself as a “Gen Z Creator Powerhouse Delivering Short Form Videos to be used for YOUR Brand’s Paid Social Ads.” According to its site, SG Social Branding has a team of “over 35 gen Z creators” who create videos for clients. These videos are made in the the style of common social media posts, like an influencer talking directly to the camera, doing man on the street interviews, or videos that look like they are clips from podcasts, but are from podcasts that don’t actually exist.

On a “case studies” page for Tea on the SG Social Branding website, the company says that Tea’s “ask” was to “Develop the narrative that Tea is the go to for Women who like to stay safe while dating.”

“We deployed creators for street interviews in locations such as NYC during daytime and the Nightlife scene on college campuses. Additionally, we made entertaining podcast clips of girl talk that is truly un-scrollable,” the case studies page says. Under “results” it says “The TEA app went #1 in the app store on July 23rd, 2025 and is now viral! Videos deployed from SGSB creators crossed over 3.4 million views with over 74k shares and rising.”

In these videos, the influencers don’t only promote Tea and talk about it as if they actually found information on it about men they know, they also repeatedly disparage Are We Dating The Same Guy Facebook groups.

“Instead of using that Facebook group Are We Dating the Same Guy, what girls are doing now because it’s so much easier is they’re downloading Tea,” a woman holding a microphone says as if she’s talking to someone off-camera. The text overlaid on the video says “Tea Party Pod.” The woman, Savannah Isabella, is an influencer who works for SG Social Branding. She goes on to talk about how one of her friends found a guy she was seeing there and all the red flags other women have posted about him. “Miss me with that. Boy bye. And it’s so much easier and faster than that Facebook group.”

View this post on Instagram

A post shared by Tea - Dating Safety App for Women (@theteapartygirls)

In another video, Isabella is at a bar, demoing the Tea app. “Girls, forget about Are We Dating The Same Guy,” she says.

Isabella and SG Social Branding did not respond to a request for comment.

Marz told me that she was hired to Tea by a woman named Tara and that initially she only communicated with Tara. Marz did a Zoom interview with Tara before she started to work for Tea and the woman identified herself as Tara over text and email. In November 2024, Marz said that Tara left the company, at which point she started reporting directly to Cook. When I showed Marz a photograph of Christianne Burns, Cook’s then fiancée, she said that was who she knew as Tara, who first interviewed her over Zoom.

After "Tara" left, Marz said Sean took over the “Tara Tea” account which was used to communicate with Tea users in the app and on Facebook.

“Sean uses that account to communicate directly with users on the app, but people think they are speaking to someone actually named Tara,” she told me. Essentially, a man is posing as a woman to an audience of women who are trying to protect themselves from, at best, deceptive men.

How Tea Deleted Posts About Men

Tori Benitez has a private consulting business for victims of domestic violence who are in Family Court for high conflict divorces or custody battles. She told me she joined the Tea app because it promoted digital safety, talking about abusers, and protecting people by letting them share information anonymously.

“I'm in the dating scene and on dating apps, and have had my own experience, so I first joined as a user, and then I saw them post that they needed help with escalation claims,” she told me. The escalation claims were complaints both from men about what women were posting about them in the app as well as complaints from other users. She thought her experience as a paralegal would be useful, and she could use more remote work, so she sent Tea her information.

“I had a Zoom call with Sean, and he wanted to know not only a little bit about my business and how I help people, but I had to tell my own personal story.” Benitez said. “I had an ex who literally threatened to kill me and told me how he was going to kill me, even after a restraining order. My story is deep and scary, and he kind of interrupted me and started crying. And I was like, ‘Oh, are you okay?’ Looking back, shouldn't I have been the one crying? It's kind of weird.”

Benitez said she took the job because she wanted to help women. During the interview and at several points while working for Tea, Benitez said that Cook wanted to make her consulting business part of Tea. Benitez said Cook floated having a tab in the Tea app that would send women to her consulting business if they needed help, or having her run workshops for users.

“I feel like his [Cook’s] motive is money, not actually to protect people, and I think that his story about his mom is a crock of shit.”

Benitez started working in April of this year but said the job wasn’t what she expected because it made no use of her experience as a paralegal. She said the work was more like customer support, and mainly had her filtering through complaints, responding to them according to a strict script she was given, and keeping a record of the responses.

If a complaint contained words like “defamation” or seemed legally threatening, she would find the post in question and the user who posted it. At times she would contact the user and ask them if the post was true and if they had any evidence to prove it. Sometimes users would respond and say the accusations were true, and the post would remain. Sometimes the users also provided supporting evidence, like court documents. Sometimes the users would delete the posts themselves, or Tea would delete the posts if the users didn’t respond to Benitez’s questions after a certain amount of time.

“That's when things would get deleted and literally no longer exist on there,” she said. “Nobody could find them. They did not go into an archive. They are just poof gone.”

She would record all the complaints and responses in a spreadsheet for Tea’s internal records, but said it didn’t always make sense when Tea decided to delete a public post on the Tea app vs when it decided to leave one up. In one interview in May, 2025, Cook said the Tea app receives “three legal threats a day from men,” and that Tea has a full legal team that helps it manage those situations.

Benitez said that in one case, Cook told her he would handle a complaint from a man regarding what was said about him on the app himself because Cook knew the man personally.

“He [Cook] seemed to side with or randomly choose to delete things that just didn't make sense and felt really concerning to me,” she said. “But I felt I had no room to complain, because every time I brought up a concern his response was either ‘ignore it,’ or ‘I will handle it,’ and there's no HR, so it's not like I can go anywhere to say all this stuff's happening. I didn't have any other point of contact other than him.”

Benitez also said she raised concerns about users’ behavior on the app. She said that at some point earlier this year Tea went viral in one town in Louisiana, where Tea users started going after each other and the number of complaints exploded.

“There was a lot of fighting in the comments between users. There were a lot of threats between users. It just turned into a chat room,” she said. “They would be fighting each other. Like, ‘Where are you at? I’ll pull up on you.’ I was like, ‘holy shit.’ There would be racist posts. It just started getting bad, and I mentioned that to him [Cook] as well, and I basically got the answer of let them say whatever they want. And like this whole like, you know, ‘It's free speech.’ I thought this was about protecting people,” Benitez recalled.

In May, Benitez said Cook was late to pay her. When she asked about it, Cook said he didn’t have the money, and asked her to keep working until he did, or work for less pay. At that point, Benitez said she wouldn’t work until she got paid for the work she already did. Eventually Cook sent her the money for the hours she already worked, but Benitez never came back.

There are currently two class action lawsuits in motion against Tea accusing the company of failing to properly secure users’ private information. After these complaints were filed Tea updated its terms of service, which now require users to waive their right to participate in class actions against the company, and agree to attempt an “informal dispute resolution” before suing the company.

“I feel like his [Cook’s] motive is money, not actually to protect people,” Benitez said, “and I think that his story about his mom is a crock of shit.”

Tea’s Security Breaches Put Users at Risk

On July 25, 404 Media broke the news that Tea made an error that completely exposed a database containing at least 72,000 thousand images from its users, and that a misogynistic 4chan community downloaded them and shared them online in various forms in order to harass and humiliate women. On July 28, 404 Media revealed an even worse security breach to Tea, which exposed more than a million private messages between Tea users that included identifying information and intimate conversations about cheating partners and abortions.

After the first hack, someone created a website modeled after “Facemash,” the site that Facebook CEO Mark Zuckerberg infamously created while he was a student at Harvard to rank the attractiveness of female students at the university. This new site, based on Tea data, took the selfies women uploaded to Tea in order to verify they are women, presented them to visitors in pairs, and allowed them to choose which they believed was more attractive. The site used the votes to create a ranking and also highlighted the list of the 50 most and least attractive women according to votes.

The second breach was far more dangerous not only because the direct messages between Tea users that were exposed included conversations they thought were private about sensitive subjects that could become dangerous in the wrong hands, but also because those conversations included details that could be used to deanonymize users. Direct messages between users often included their real phone numbers, names, and social media handles.

“I posted on the app about a man who groomed and abused me as a minor,” one Tea user whose direct messages were exposed in the second security breach told 404 Media. The user asked to be anonymous because she’s heard about “incel dudes” doxing Tea users. “I joined Tea because I appreciated the premise of a ‘whisper network’ for community safety—because a huge amount of men are, in fact, unsafe individuals, and most of the time those impacted don't find out until it's too late.”

This user added that they felt safe enough to share intimate details on Tea because it was advertised as a “safe space” for women with a strong emphasis on anonymity.

“My reaction to the breach is anger, just anger, and some disgust,” the user said.

Kasra Rahjerdi, the researcher who flagged the second security breach to 404 Media, said there were signs he wasn’t the only person who may have accessed more than a million of private Tea messages. Every Tea user is assigned a unique API key which allows them to interface with the app in order to log in, read public posts, share posts, or do other actions in the app. Rahjerdi discovered that any Tea user was also able to use their own API key to access sensitive parts of the Tea app’s backend, including a database of private messages and the ability to send all Tea users a push notification.

This access also allowed users to create new databases, and Rahjerdi told 404 Media he saw someone else doing just that while he was looking at Tea’s backend. Most of these databases were empty, but one contained a link to a Discord server with a handful of users which shut down shortly after 404 Media tried to join it on July 26. This activity indicates that someone else found the same security breach as Rahjerdi and could have accessed more than a million private messages of Tea users as well.

In a podcast interview in April, 2025, Cook said he doesn’t know how to code, and that the Tea app was built by two developers in Brazil. According to Tea’s Linkedin page, both developers are contractors who are available to hire via Toptal, a platform where software developers offer their labor as remote freelancers. Those two developers did not respond to our request for comment.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, told 404 Media that the private Tea messages could be especially dangerous to Tea users who talked about abortions or specific men.

“I would be particularly concerned about posts about abortions in say Texas, where SB 8 grants a private right of action to sue anyone who performs or facilitates an abortion that violates the law,” Galperin said. SB 8, also known as the “Texas Heartbeat Act,” bans abortion after the detection of a “fetal heartbeat,” which is usually six weeks into pregnancy. The law also allows anyone to sue anyone else who performs abortions or “aids and abets” performing or inducing an abortion in violation of the law. “I’d also be concerned about DMs containing information of sexual orientation or immigration status, or details about sexual assault that the survivor was sharing in private.”

Galperin said she would be “extremely concerned” if the messages got out, not just because of the men who are named in the messages, but because “There are people who think that anyone who has an account on this platform is fair game for harassment,” referring to some of the harassment we’ve already seen from 4chan.

Despite the risks the Tea app has already put users in, Tea has downplayed the impact of the security breaches, and has continued to grow in popularity. On July 28, Tea said in a post to Instagram that “some” direct messages were accessed as part of the initial incident, and that it had temporarily disabled the ability for users to send direct messages. The statement does not acknowledge that more than a million messages were exposed, and also misleads users that those messages were leaked as part of the initial breach. The messages were exposed in an entirely separate breach around different security issues. On July 26, after 404 Media reported about both Tea breaches, Tea said on Instagram that it received over 2.5 million requests to join the app. The replies from users on Instagram are filled with people who are on the Tea app waiting list to be approved. Again, even after it said it has hired a cybersecurity firm to address the two previously reported breaches, 404 Media found a third security issue that exposed users’ private information that Tea wasn’t aware of until we reached out for comment.

Today, Tea’s site boasts that more than 6.2 million women use the app.

Joseph Cox contributed reporting.

A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating

The more than one million messages obtained by 404 Media are as recent as last week, discuss incredibly sensitive topics, and make it trivial to unmask some anonymous Tea users.

^{Emanuel Maiberg (404 Media)}

Pro

2025-08-20 14:25:21

Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure

Research with details.

• Static Tundra is a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit that has been operating for over a decade, specializing in compromising network devices for long-term intelligence gathering operations.
• The group actively exploits a seven-year-old vulnerability (CVE-2018-0171), which was patched at the time of the vulnerability publications, in Cisco IOS software's Smart Install feature, targeting unpatched and end-of-life network devices to steal configuration data and establish persistent access.
• Primary targets include organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe, with victims selected based on their strategic interest to the Russian government.
• Static Tundra employs sophisticated persistence techniques including the historic SYNful Knock firmware implant (first reported in 2015) and bespoke SNMP tooling to maintain undetected access for multiple years.
• The threat extends beyond Russia's operations — other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations.
• Threat actors will continue to abuse devices which remain unpatched and have Smart Install enabled.

Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices

A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.

^{Sara McBroom (Cisco Talos Blog)}

Pro

2025-08-20 14:25:21

Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure

Research with details.

• Static Tundra is a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit that has been operating for over a decade, specializing in compromising network devices for long-term intelligence gathering operations.
• The group actively exploits a seven-year-old vulnerability (CVE-2018-0171), which was patched at the time of the vulnerability publications, in Cisco IOS software's Smart Install feature, targeting unpatched and end-of-life network devices to steal configuration data and establish persistent access.
• Primary targets include organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe, with victims selected based on their strategic interest to the Russian government.
• Static Tundra employs sophisticated persistence techniques including the historic SYNful Knock firmware implant (first reported in 2015) and bespoke SNMP tooling to maintain undetected access for multiple years.
• The threat extends beyond Russia's operations — other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations.
• Threat actors will continue to abuse devices which remain unpatched and have Smart Install enabled.

Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices

A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.

^{Sara McBroom (Cisco Talos Blog)}