UK and Allies Warn Russian FSB Hackers Are Compromising Routers Worldwide


The UK and 11 partner countries have warned that hackers linked to Russia’s Federal Security Service are actively compromising poorly configured routers around the world.

The campaign targets internet-facing network equipment that uses weak credentials, outdated management protocols, unsupported software, or known vulnerabilities. Communications, defence, energy, financial services, government, and healthcare organizations face the greatest risk.

The UK National Cyber Security Centre published the warning alongside 18 agencies from 12 countries. Its Russian intelligence targeting alert urges organizations to secure exposed routers immediately.

FSB Centre 16 is behind the router campaign

The agencies attributed the activity to Centre 16 of Russia’s FSB. Cybersecurity companies track related operations under several names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra.

However, the agencies caution that private-sector tracking names do not always map precisely to their understanding of the Russian unit. Different security companies may group related campaigns and infrastructure in different ways.

The joint cybersecurity advisory says the actors scan internet address ranges for routers running active Simple Network Management Protocol agents.

Campaign detailFinding
Attributed actorRussia’s FSB Centre 16
Primary targetsPoorly configured and vulnerable network devices
Main discovery methodInternet-wide SNMP scanning
Targeted credentialsDefault, common, weak, or reused SNMP community strings
Other attack pathsCisco vulnerabilities, Smart Install, and web management flaws
Highest-risk sectorsCommunications, defence, energy, finance, government, and healthcare

Hackers abuse weak SNMP configurations

SNMP allows administrators to monitor and manage routers, switches, servers, and other network equipment. Older versions rely on community strings that function like shared passwords.

Centre 16 searches for devices that accept common or default community strings. The attackers send SNMP Set-Requests through proxies and may spoof the apparent source address to conceal where the activity originated.

On a poorly configured device, a malicious request can instruct the router to copy its configuration into a file. The advisory says attackers often use names such as config.bkp or output.txt before transferring the file to infrastructure they control.

  • The attackers scan for active SNMP agents on public IP addresses.
  • They test common or default community strings.
  • Malicious SNMP object identifiers instruct a router to copy its configuration.
  • The router transfers the file through TFTP or another available service.
  • The stolen configuration may expose credentials and network details.

Router configuration files can contain usernames, password hashes, SNMP strings, interface details, access control lists, and information about connected networks. Even when passwords are not stored in plain text, weak hashing formats can leave them vulnerable to cracking.

Cisco flaws and Smart Install provide additional access

SNMP abuse remains the group’s main method for discovering and exploiting network devices, but it is not the only one. The agencies have also observed Centre 16 targeting Cisco Smart Install, web management portals, and known Cisco vulnerabilities.

The advisory identifies CVE-2018-0171 and CVE-2008-4128 among the flaws previously exploited by the hackers. CVE-2018-0171 affects Cisco IOS and IOS XE Smart Install, while CVE-2008-4128 is an older cross-site request forgery vulnerability in end-of-life Cisco IOS devices.

The NCSC’s Centre 16 warning says these techniques allow the group to gain control of vulnerable network equipment. The activity creates risks beyond the compromised router itself because network devices occupy trusted positions and process traffic for other systems.

Many of the techniques overlap with activity attributed to other state-backed groups, including Salt Typhoon. The recommended controls can therefore help defend against a wider range of actors, not only FSB Centre 16.

Organizations should disable legacy SNMP

The agencies recommend replacing SNMPv1 and SNMPv2 with SNMPv3 wherever possible. SNMPv3 supports authentication and encryption features that older versions lack.

Administrators should configure SNMPv3 with authPriv, which provides both authentication and privacy protection, using the strongest encryption standard supported by the device. Organizations should disable SNMP entirely when they do not need it.

If operational requirements prevent the removal of SNMPv1 or SNMPv2, teams should change every default community string and restrict the protocol to read-only access. They should also allow SNMP connections only from approved management systems.

  • Disable SNMPv1 and SNMPv2 on supported equipment.
  • Deploy SNMPv3 with authentication and encryption.
  • Replace default and reused community strings.
  • Remove read-write SNMP access when it is unnecessary.
  • Allow only approved management systems to reach SNMP services.
  • Monitor inbound SNMP Set-Requests for sensitive object identifiers.

Restrict router management traffic

Management protocols should operate on a dedicated network rather than remain exposed to ordinary user devices or the public internet. An out-of-band management network provides stronger separation from production traffic.

The international router guidance recommends using access control lists to permit administrative traffic only from trusted management devices.

Organizations should block unnecessary external access to UDP port 69 for TFTP, TCP port 4786 for Cisco Smart Install, UDP ports 161 and 162 for SNMP, and TCP or UDP ports 10161 and 10162 for SNMPv3.

Administrators should disable Cisco Smart Install on every device that does not require it. They should also turn off unused HTTP and HTTPS management interfaces and avoid exposing administrative portals directly to the internet.

Strong passwords and secure storage remain essential

Each network device should use strong, unique credentials. Reusing an administrative password across routers can turn the compromise of one device into access across a larger environment.

The agencies recommend using Cisco password hashing type 8 for user credentials. Organizations should avoid types 0, 4, and 7 because they either store credentials insecurely or provide inadequate protection.

Security teams should also monitor for local accounts that do not match their naming standards. Local logins should generate alerts, particularly when centralized authentication normally handles administrative access.

  • Use a unique password for every router and switch.
  • Remove default administrative accounts where the device permits it.
  • Use centralized authentication with multifactor authentication where feasible.
  • Restrict local accounts to emergency access.
  • Alert on unexpected local logins and newly created credentials.

Replace unsupported routers and inspect for compromise

Organizations should update firmware and software on supported equipment. Devices that have reached end of life should be replaced because their manufacturers may no longer provide fixes for security vulnerabilities.

Teams should maintain an accurate inventory of internet-facing network equipment, including the hardware model, software version, support status, management services, and responsible owner.

Security monitoring should look for unexpected configuration exports, TFTP transfers, SNMP Set-Requests, unfamiliar local accounts, altered access control lists, and connections to unknown external servers.

Finding a vulnerable configuration does not prove that attackers compromised the router. However, organizations should investigate signs of unauthorized access before applying changes because remediation alone may leave malicious accounts or configuration changes in place.

Poland energy attack attributed to the same FSB unit

The router warning arrived as the UK and EU announced their first joint cyber sanctions package. The measures target 24 individuals and entities linked to destructive Russian cyber and hybrid operations.

The UK and EU also attributed a failed December 2025 attack against Poland’s energy grid to FSB Centre 16. According to the UK sanctions announcement, the incident could have disrupted electricity for 500,000 civilians during winter.

The sanctions cover Russian state figures, cybercriminal proxies, and organizations accused of supporting malicious operations. The package also targets people linked to credential-stealing malware, hacktivist groups, and influence campaigns.

The router advisory and sanctions address separate parts of the wider threat. One provides technical guidance for defenders, while the other imposes political and financial consequences on individuals and organizations accused of supporting Russian operations.

NCSC urges critical infrastructure operators to act

Jonathon Ellison, the NCSC’s Director of National Resilience, urged all organizations to implement the recommendations, with particular attention to operators responsible for critical UK networks.

The NCSC also recommends Cyber Essentials certification. The scheme covers five core controls: secure configuration, user access control, malware protection, security updates, and firewalls.

For organizations that operate essential services, the Cyber Assessment Framework provides a broader method for evaluating governance, protection, detection, resilience, and incident response.

These frameworks do not replace the specific router mitigations in the advisory. They help organizations build consistent security processes around asset management, updates, access control, monitoring, and recovery.

Immediate actions for network defenders

Organizations should first identify every router and network device exposed to the internet. They should then verify whether each device uses supported software and whether any management protocols accept connections from untrusted networks.

Smaller organizations can use the controls described by Cyber Essentials to establish a minimum security baseline. Critical infrastructure operators can use the NCSC assessment framework to measure more advanced resilience requirements.

The UK government’s Russia sanctions notice places the warning within a broader campaign of cyber espionage and disruptive operations. Network defenders should treat exposed and unsupported routers as high-priority assets rather than routine infrastructure.

Strong router hygiene reduces the opportunities available to Centre 16 and other threat groups that use similar techniques. Replacing legacy devices, securing SNMP, restricting management traffic, and monitoring configuration changes provide the most direct protection.

FAQ

Who is FSB Centre 16?

Centre 16 is a cyber unit linked to Russia’s Federal Security Service. Security companies track related activity under names including Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard, and Static Tundra.

How are Russian hackers compromising routers?

The hackers primarily scan for routers with active SNMP agents that accept default or weak community strings. They also exploit Cisco vulnerabilities, Cisco Smart Install, and vulnerable web management portals.

Why is SNMPv3 safer than older SNMP versions?

SNMPv3 supports authentication and encryption. SNMPv1 and SNMPv2 rely on community strings and do not provide the same protection for management traffic.

Which sectors face the greatest risk?

The NCSC identifies communications, defence, energy, financial services, government, and healthcare among the sectors most at risk from the campaign.

How can organizations protect their routers?

Organizations should replace unsupported devices, update firmware, disable legacy SNMP and Cisco Smart Install, use unique passwords, restrict management traffic, and monitor for unauthorized configuration changes.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages