By December 2025, a separate campaign had infected 18,000 routers across 120 countries — a stark data point that frames a new multinational warning about Russian state-backed hackers targeting poorly configured routers to gain access to critical infrastructure networks.
FSB Centre 16 attributed to router intrusions
A joint advisory—co-authored by the NSA, the FBI, and CISA alongside 15 agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France, and Italy—attributes the campaign to hackers from the Russian Federal Security Service (FSB) Centre 16. The group is tracked under many names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra.
The advisory says Centre 16 scans internet-connected IP address ranges for routers that accept default or common SNMP authentication strings, then issues commands using spoofed IP addresses to copy device configuration files and exfiltrate them via the Trivial File Transfer Protocol (TFTP) to actor-controlled servers.
Cisco Smart Install and CVE-2018-0171: a persistent vector
The FBI warned in August 2025 that the same group has been exploiting a critical vulnerability in Cisco's Smart Install feature (tracked as CVE-2018-0171) since November 2021 to target critical infrastructure. The advisory and the UK National Cyber Security Centre both highlight that, while SNMP scans are primary, the actor “has also exploited well-known vulnerabilities relating to Cisco devices, Cisco's Smart Install (SMI) feature and web-portal flaws to gain control of network devices.”
Sectors at risk and the scale of prior campaigns
The agencies list the sectors most at risk as: energy, communications, the defense industrial base, healthcare, financial services, defense, and state and local government services. The advisory arrives after an international law enforcement operation disrupted FrostArmada — a separate campaign attributed to APT28 (also tracked as Fancy Bear and Forest Blizzard and linked in reporting to GRU unit 26165) that by December 2025 had infected 18,000 routers across 120 countries.
In FrostArmada, attackers altered DNS settings on compromised MikroTik and TP-Link small office/home office (SOHO) routers to redirect authentication traffic to attacker-controlled servers and steal Microsoft 365 logins and OAuth tokens. As part of a court-authorized operation, with support from the U.S. Department of Justice, the Polish government, and multiple cybersecurity companies, the FBI remotely removed malicious DNS settings to secure the compromised routers and forced them to connect to legitimate DNS resolvers.
Mitigations the joint advisory urges
The authoring cybersecurity agencies provided specific measures to help network defenders harden their networks. They urged administrators to:
- Upgrade to SNMPv3;
- Disable Cisco Smart Install;
- Enforce strong, unique passwords;
- Block TFTP and SNMP traffic at edge firewalls;
- Update software and firmware;
- Replace end-of-life devices.
Those steps mirror the mechanics of the attacks described: because the actor hunts for default or weak SNMP passwords and exploits known Cisco flaws, strengthening authentication, removing vulnerable features, and limiting protocol exposure at network edges are logical defensive priorities in the advisory.
What this means for technologists, energy operators, and state and local government services
- Technologists and security teams: the advisory gives a clear, actionable checklist—upgrade to SNMPv3, disable Cisco Smart Install, block TFTP/SNMP at edge firewalls, and update firmware—to reduce the specific attack surface Centre 16 is exploiting.
- Energy operators and communications providers: sectors named as most at risk should prioritize discovery and replacement of end-of-life devices and audit remote-management features on routers and edge devices, since the advisory highlights both default SNMP credentials and SMI/Cisco vulnerabilities as active exploitation points.
- State and local government services: agencies in this category should expect targeted scanning for default or weak SNMP community strings and consider rapid mitigation steps called out in the advisory while coordinating with national cyber authorities when intrusions are suspected.
The joint advisory and the recent FrostArmada disruption together underscore two themes present in the agencies’ findings: attackers continue to exploit legacy configurations and known vendor flaws, and multinational law enforcement interventions can remediate large-scale compromises — in FrostArmada's case by removing malicious DNS settings and restoring legitimate resolvers. The agencies supplied concrete steps; the practical test now is how quickly operators across the named sectors adopt them.




