On the 16th October 2023 Cisco Talos shared intelligence about a handful of compromised routers discovered while resolving customer support requests. As the full story unfolded, a handful of backdoored devices turned into tens of thousands, and the massive mobilisation of incident response teams as patches were applied and workarounds implemented. Many months later, the incident may be largely forgotten by Cisco customers and the cyber-security community, but working on these routers remains an objective for somebody.

In this talk we explore the world of compromised IOS XE devices using data from weekly scans of all the potentially affected systems. The number of infected routers has changed over time showing a persistent motivation to maintain the backdoor’s installed base and giving insights in to the life of the adversary. At the time of writing, two-thirds of all exposed devices show signs of compromise.

We investigate who was quick to apply the vendor’s advice, and what kind of organizations the compromised devices belong to. We observe that some mature organizations with competent cyberdefence teams seem to be maintaining affected routers.

Finally we look at the potential utility of a network of compromised routers, making the link to Operational Relay Box (ORB) networks as recently defined by Mandiant (Google Cloud), and the challenge this poses for Threat Intelligence analysts and cyber-defence teams more broadly.