[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fe9GdipXaUjPA3RtXZkpi9mvy1NKXou8ASPMTexucfxU":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"862703f2-dc93-4af6-b29f-61093e016fc8","US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure Routers","us-allies-warn-of-russian-cyberattacks-targeting-critical-infrastructure-routers-020747","Multiple state-sponsored APTs are compromising poorly secured devices across critical infrastructure sector networks. The post US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure Routers appeared first on SecurityWeek.","Russian state-sponsored APT actors are targeting poorly secured network devices, primarily routers, to compromise critical infrastructure globally. The advisory highlights the involvement of FSB Center 16 threat actors and mentions exploitation of vulnerabilities in Cisco devices, including CVE-2008-4128 and CVE-2018-0171. The attacks impact sectors such as communications, energy, finance, and healthcare.","US and allies warn of Russian APTs targeting critical infrastructure routers.","Russian state-sponsored advanced persistent threat (APT) actors are targeting networking devices to compromise critical infrastructure worldwide, the US and its allies warn. The activity involves scanning for poorly secured devices, mainly routers, for exploitation, government agencies from the US, Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, Italy, New Zealand, Poland, Sweden, and the UK say in a joint advisory (PDF). According to the authoring agencies, Russian Federal Security Service (FSB) Center 16 threat actors, such as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra, have been seen engaging in these attacks. The activity targets critical infrastructure organizations across the communication, defense industrial base, energy, financial, government, and healthcare and public health sectors. Using proxies, the threat actors send Simple Network Management Protocol (SNMP) set-requests to IP ranges, instructing the SNMP agents on the target devices to copy configurations to a file and transfer it, usually over Trivial File Transfer Protocol (TFTP), to a virtual private server (VPS) or a compromised FTP server. Additionally, the threat actors have been observed exploiting known vulnerabilities in Cisco devices, including CVE-2008-4128 and CVE-2018-0171, which lead to arbitrary code and command execution.Advertisement. Scroll to continue reading. “Many of these TTPs overlap with activity by other malicious cyber actors, such as Salt Typhoon,” the authoring agencies note. Network defenders are advised to disable Cisco Smart Install on all devices, disable SNMPv1 and SNMPv2, use SNMPv3 with modern encryption standards, use unique passwords for accounts on network devices, configure credentials to be stored securely, and monitor for and alert on logins using local accounts. Defenders should also restrict access to SNMP Object Identifiers (OIDs), restrict management protocols, deny external communications on specific ports on edge firewalls and devices, and keep network device software and firmware updated to patch known vulnerabilities. The NSA recently published an advisory on reducing the risk of SNMP abuse. Related: EU Targets Russian Intelligence Officers Accused of Running a Yearslong Cyber Spying Campaign Related: US Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve Related: Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets Related: Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Organizations Warned of Exploited Joomla Extension VulnerabilitiesProgress Prompts ShareFile Storage Zone Controller Shutdown Amid Security ConcernsGhost Accounts Abuse GitHub API in Mass Recon CampaignOkta Warns of Vishing Attacks Targeting Microsoft 365 CustomersGigaWiper Combines Multiple Malware for System-Level SabotageNetwork of 200 GitHub Repositories Used for Malware Infection12 Million Impacted by Data Breach at Japanese Telco KDDI15-Year-Old Linux Vulnerability ‘GhostLock’ Earns Researchers $92k From Google Latest News SAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce CloudValarian Raises $50 Million for Sovereign Infrastructure Control LayerMultiple Jscrambler Packages Impacted by Supply Chain AttackPentagon Suspends CMMC Phase 2 as It Rethinks Contractor Cybersecurity RulesHacker Conversations: Jesse McGraw (GhostExodus), From Blackhat Hacker to RedemptionCybersecurity M&A Roundup: 37 Deals Announced in June 2026RabbitMQ Vulnerability Threatens Enterprise SystemsZimbra Patches Critical Code Execution Vulnerability Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveBlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.Solana Foundation has appointed Michael Coates as Chief Information Security Officer.Michael Sikorski has joined Coinbase as Chief Information Security Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fus-allies-warn-of-russian-cyberattacks-targeting-critical-infrastructure-routers\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F09\u002FRussian-GRU_Hackers.jpg","2026-07-14T10:51:01+00:00","2026-07-14T12:00:15.226789+00:00",8,[18,21,23,25,27,29],{"name":19,"type":20},"Berserk Bear","threat_actor",{"name":22,"type":20},"Energetic Bear",{"name":24,"type":20},"Crouching Yeti",{"name":26,"type":20},"Dragonfly",{"name":28,"type":20},"Ghost Blizzard",{"name":30,"type":20},"Static Tundra","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":31,"icon":33,"name":34,"slug":35},null,"Nation-state","nation-state",[37,42,44,49],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":43},{"id":31,"icon":33,"name":34,"slug":35},{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":50},{"id":51,"icon":33,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[55,59],{"type":56,"value":57,"context":58},"cve","CVE-2008-4128","Exploited vulnerability in Cisco devices leading to arbitrary code execution.",{"type":56,"value":60,"context":58},"CVE-2018-0171"]