Back to Feed
Nation-stateJul 13, 2026

Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting

FSB Center 16 exploits misconfigured routers across critical infrastructure sectors worldwide.

Summary

A joint cybersecurity advisory from NSA, CISA, FBI, and international partners warns of Russian FSB Center 16 targeting poorly configured networking devices, particularly routers, across critical infrastructure sectors including communications, energy, finance, and healthcare. The threat actors use SNMP scanning with default credentials, Cisco Smart Install exploitation, and known CVEs to compromise devices and exfiltrate configuration data. Mitigations include disabling legacy SNMP versions, implementing SNMPv3 with strong encryption, and monitoring for suspicious OID activity.

Full text

Cybersecurity Advisory Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting Release DateJuly 13, 2026 Alert CodeAA26-194A Related topics: Critical Infrastructure Security and Resilience , Cybersecurity Best Practices Russian Government-Sponsored Activity Targets Poorly Configured and Vulnerable Devices Across Critical Sectors Executive summary Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks. This joint Cybersecurity Advisory (CSA) builds on FBI’s Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure Public Service Announcement of the decade-plus FSB Center 16 cyber activity by providing additional tactics, techniques, and procedures (TTPs) to enable defenders to more fully understand and counter the threat. [1] This CSA is being released by the following authoring and co-sealing agencies: United States National Security Agency (NSA) United States Cybersecurity and Infrastructure Security Agency (CISA) United States Federal Bureau of Investigation (FBI) United States Department of Defense Cyber Crime Center (DC3) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre) New Zealand National Cyber Security Centre (NCSC-NZ) United Kingdom National Cyber Security Centre (NCSC-UK) Czech Republic National Cyber and Information Security Agency (NÚKIB)1 Danish Defence Intelligence Service (DDIS)2 Estonian Foreign Intelligence Service (EFIS)3 Estonian Information System Authority (RIA)4 Finnish Defence Intelligence (FDI)5 Finnish Security and Intelligence Service (SUPO)6 French National Cybersecurity Agency (ANSSI)7 Italian External Intelligence and Security Agency (AISE)8 Italian Internal Intelligence and Security Agency (AISI)9 The Military Counterintelligence Service of Poland (SKW)10 Sweden National Cyber Security Centre (NCSC-SE)11 The authoring and co-sealing agencies strongly urge device owners and network defenders to take mitigation and remediation actions against Russian government-sponsored exploitation of vulnerable routers. Figure 1: FSB Center 16 activity and recommended mitigation actions Download the PDF version of this report: Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting (PDF, 816KB) Cybersecurity industry tracking The cybersecurity industry provides overlapping cyber threat intelligence, indicators of compromise (IOCs), and mitigation recommendations related to this activity. Although not all encompassing, the following list contains the most notable threat group names commonly used within the cybersecurity community related to this activity: Berserk Bear Energetic Bear Crouching Yeti Dragonfly Ghost Blizzard Static Tundra Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this list may not provide a 1:1 correlation to the authoring agencies’ understanding for all activity related to these groupings. Targeting details Critical infrastructure sectors most at risk from the Russian Federal Security Service (FSB) Center 16 cyber actors’ targeting include: Communications, Defense Industrial Base, Energy, Financial Services, Government Services and Facilities, especially organizations at the state and local level, and Healthcare and Public Health. Technical details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise12 framework, version 19. See Appendix A for tables of the activity mapped to MITRE ATT&CK tactics and techniques. This advisory also uses MITRE DEFENDTM version 1.4.0. The Russian FSB Center 16 cyber actors primarily use scanning to identify poorly configured networking devices, primarily routers, for exploitation. The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication [T1595.001, T1595.002]. These scans, run via proxies, consist of SNMP Set-Requests from a spoofed IP address [T1027] containing Object Identifiers (OIDs) that instruct the SNMP agent on poorly configured networking devices to [T1569, T1602.001, T1090]: Copy its configuration to a file, often called “config.bkp” or “output.txt” [T1003, T1602.002]. Transfer the file, typically using Trivial File Transfer Protocol (TFTP), to an actor-controlled leased virtual private server (VPS) or compromised FTP server [T1583.003, T1090, T1071, T1048]. While SNMP scanning is the primary method the actors use to discover and exploit poorly configured networking devices, they occasionally exploit common vulnerabilities and exposures (CVEs) in Cisco devices, Cisco’s Smart Install (SMI) functionality, and web portals to manage network devices. The actors previously exploited at least the following CVEs [T1584.008, T1588.005, T1190, T1068]: CVE-2018-0171 CVE-2008-412813 Many of these TTPs overlap with activity by other malicious cyber actors, such as Salt Typhoon. Even though this CSA focuses on Russian FSB Center 16 cyber activity, the mitigations below should detect and counter these and similar TTPs used by other actors. Mitigation actions The authoring agencies highly recommend network defenders implement the following mitigations to harden networks against this exploitation: Disable Cisco Smart Install on all devices [D3-ACH]. [2] Use SNMPv3 with “authPriv” configured to the most modern encryption standard that is supported by the device instead of SNMPv1 or SNMPv2 [D3-ACH]. [3] Disable SNMPv1 and SNMPv2. These are legacy protocols and should no longer be needed on current devices. If they are necessary, change all community strings from defaults and only allow read-only community strings rather than read-write access. SNMPv3 adds strong authentication and data encryption that are unavailable in SNMPv1 and v2. SNMPv3 replaces clear text shared passwords, known as community strings, with more securely encoded parameters, and authenticates and encrypts data [D3-MAN, D3-MENCR]. Use strong, unique passwords for local accounts on network devices and configure credentials to be stored securely to prevent reuse of compromised passwords [D3-CH]. Cisco devices protect passwords in the configuration file using different hashing types. Use hashing type 8 for user credentials. Avoid using hashing type 0, 4, and 7 as they are insecure or store passwords in plaintext in the configuration file. [4] Monitor for unusual credentials that do not conform to standard organizational naming conventions [D3-PM]. Monitor for and alert on logins using local accounts. Local accounts should only be used in emergency situations when accounts supported by centralized authentication servers are unavailable. Centralized authentication to network devices should support multi-factor authentication where feasible. [3] Monitor and restrict access to SNMP OIDs using a Management Information Base (MIB) allow list [D3-ACH]. [5] Reference the vendor-specific MIB for the network devices and monitor OIDs for indications of reconnaissance or misconfiguration in logs or intrusion detection systems (IDS). IDS rules should be written for inbound SNMP Set-Requests that contain OIDs targeting sensitive device data [D3-PM]. Example OIDs include: 1.3.6.1.4.1.9.9.96.1.1 (Cisco Config Copy) 1.3.6.1.4.1.9.9.96.1.1.1.1.5 (Config Copy Server Address, value for this OID is where the configuration file is being sent to) Restrict management protocols [D3-NTF]. Use Access Control Lists (ACLs) to only allow management protocols, such as SNMP, from management devices, preferably on an out-of-band network. [3] On edge firewalls and devices deny all external communications on the following ports unless mission critical, with strict monitoring if blocking is not feasible: User Datagram Protocol (U

Indicators of Compromise

  • cve — CVE-2018-0171
  • cve — CVE-2008-4128
  • mitre_attack — T1595.001
  • mitre_attack — T1595.002
  • mitre_attack — T1602.001
  • mitre_attack — T1602.002

Entities

FSB Center 16 (threat_actor)Berserk Bear (threat_actor)Energetic Bear (threat_actor)Dragonfly (threat_actor)Cisco Smart Install (product)