"This is an ongoing issue that has impacted various U.S. and foreign networks across multiple sectors, including the defense industrial base, communications, energy, financial services, government facilities and health care sectors," the National Security Agency said in a statement.
FSB Center 16 and its tracked aliases
U.S. officials and partners say the intrusions are the work of the Russian Federal Security Service Center 16, a state-sponsored group that has been "actively targeting critical infrastructure for more than a decade," according to a joint cybersecurity advisory released Monday. The same cluster of activity is tracked under multiple names by different observers, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.
Tactics: Cisco Smart Install, default credentials, and two CVEs
Authorities say the attackers habitually scan the internet for routers and other network devices using default or weak passwords. The group has also exploited vulnerabilities in Cisco devices, the Cisco Smart Install feature, and web portals to take over network hardware. The advisory specifically cites two exploited vulnerabilities by identifier: CVE-2008-4128 and CVE-2018-0171.
To blunt the technique set named in the advisory, officials urged defenders to disable Cisco Smart Install on all devices, adopt stronger modes of authentication and passwords, and monitor for unusual credentials and logins that use local accounts.
Sectors and scale: where the intrusions have landed
The National Security Agency framed the activity as broad and enduring, saying impacted networks span multiple sectors. The advisory lists the defense industrial base, communications, energy, financial services, government facilities and health care sectors as among those affected. The joint statement also noted that the campaign has targeted "critical infrastructure" worldwide.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: The advisory's technical prescriptions are specific — disable Cisco Smart Install, strengthen authentication and passwords, and add monitoring for anomalous local-account logins and credentials. The bulletin reiterates that both configuration hygiene and patching for known vulnerabilities (including CVE-2008-4128 and CVE-2018-0171) are central defensive steps.
- Policymakers and regulators: The advisory was issued jointly by the United States and a coalition of international partners, signaling a coordinated, cross-border posture toward attribution and mitigation. Other countries named as backing the advisory include Canada, Australia, New Zealand, Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland and Sweden.
- Affected enterprises and procurement leaders: The advisory echoes a prior FBI notice issued nearly a year earlier about the same group targeting end-of-life networking devices running Cisco Smart Install. Organizations that still operate legacy or end-of-life gear should view the bulletin as a prompt to inventory and replace vulnerable hardware or isolate it from critical networks.
International response: EU attribution and United Kingdom sanctions
Beyond defensive guidance, the week’s actions included at least two diplomatic moves. The European Union attributed a December 2025 attack on Poland’s energy grid to Russia’s FSB Center 16, according to the advisory’s context. Separately, the United Kingdom announced sanctions on 24 individuals and entities it said were "allegedly involved in various attacks attributed to Russian intelligence services." In a statement accompanying the sanctions, Yvette Cooper, foreign security of the United Kingdom, said: “From directing criminals to targeting businesses, and striking Poland’s energy grid in the depths of winter, the Russian state is sinking to new lows in its attempts to undermine European security.”
The joint advisory reissues a simple, recurring theme: defenders can reduce risk by correcting misconfigurations, removing default credentials, and closing known product weaknesses. It also tightens the political frame — attribution and sanctions now sit alongside technical mitigation — leaving one clear question: will repeated public warnings and allied pressure change the prevalence of weakly configured, internet-facing network devices before the next campaign?
https://cyberscoop.com/russian-fsb-cisco-joint-cybersecurity-advisory/




