Skip to main content
Emerging ThreatsMalware & Ransomware

Russian Hackers Target Routers Globally, Warn Cybersecurity Agencies

Rows of generic routers on a rack in a neutral-colored server room with blank labels.

“This reckless attack failed but could have caused 500,000 citizens to lose electricity in the depths of winter.”

FSB Centre 16's SNMP-focused router campaign

Cybersecurity agencies from 12 countries warn that a Russian state-sponsored unit, identified as Federal Security Service (FSB) Centre 16, is actively hunting vulnerable routers worldwide by scanning for devices that still use default or weak Simple Network Management Protocol (SNMP) passwords and community strings. The advisory — co-authored by agencies from Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden, the UK and the US — describes a straightforward exploit chain: obtain a valid SNMP community string, gain SNMP access, then use Object Identifiers (OIDs) to command routers to copy configuration files and transmit them via Trivial File Transfer Protocol (TFTP).

How stolen configurations are exfiltrated

The advisory provides technical detail on how compromised routers yield valuable data. SNMPv1 and SNMPv2 transmit community strings in plaintext, making them vulnerable to network sniffing; attackers who retrieve a string can direct devices via OIDs to export configuration files. Those files are then transferred by TFTP and ultimately sent to either a virtual private server leased by the threat actor or to a compromised file transfer protocol server. The guidance from the agencies is explicit: move to SNMPv3 where possible, because it provides built-in authentication and encryption to protect management traffic from interception and tampering.

Cisco Smart Install, CVE-2018-0171, and legacy devices

The advisory notes that Centre 16 has also occasionally exploited known vulnerabilities in Cisco devices. In 2025, Cisco warned that CVE-2018-0171 — a vulnerability in the Smart Install feature affecting unpatched, often end-of-life devices — was being actively exploited by Centre 16 (also referenced in the advisory under the name Static Tundra). Cisco advised customers to apply the patch for CVE-2018-0171 or to disable Smart Install if patching is not an option; the patch was originally issued in 2018. The advisory underscores that unpatched or end-of-life hardware remains an accessible vector for this actor.

Attribution and sanctions after Poland energy-grid operations

Concurrently with the publication of the advisory, the UK and the European Union attributed coordinated cyber-attacks on Poland’s energy infrastructure in late 2025 to FSB Centre 16. The UK government’s July 13 statement framed the incident as a near-miss with potentially massive civilian impact, asserting the attack “could have caused 500,000 citizens to lose electricity in the depths of winter.” The EU and UK issued a joint sanctions package targeting 24 individuals and entities they say were behind destructive cyber and hybrid operations, including proxy networks linked to Russian intelligence services. Separately, the UK announced sanctions on individuals tied to Lumma Stealer, saying that Russia has used Lumma Stealer’s stolen credentials to conduct cyber espionage globally in support of Kremlin objectives; the National Crime Agency reported at least 2,100 Lumma Stealer victims in the UK within the last six months.

What this means for technologists, policymakers, and operators

  • Technologists and security teams: The advisory's concrete recommendations are actionable — move management traffic to SNMPv3, hunt for weak or default community strings, and either patch CVE-2018-0171 or disable the Smart Install feature on affected Cisco devices. The actor’s tactics favor simple misconfiguration and legacy software rather than exotic zero-days.
  • Policymakers and regulators: The EU/UK attribution and the joint sanctions package show a diplomatic and financial response layered on technical defenses. Regulators responsible for critical-infrastructure resilience will be watching implementation of vendor advisories and patching regimes closely.
  • Affected enterprises and operators (communications, defence, energy, financial services, government, healthcare): These sectors were explicitly singled out as most at risk and are being urged to take immediate action on SNMP configurations and to inventory devices for end-of-life Cisco Smart Install exposure.

Centre 16 — also referenced in the advisory by aliases including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra — continues to blend opportunistic scanning with occasional exploitation of known vendor flaws. The takeaway is stark and operational: prevent the simplest avenues of access today, because that is where this actor is still most effective. The allied advisory and the parallel political measures taken by the EU and UK leave little doubt that the response will be both technical and geopolitical; the next measurable outcomes will be how quickly organizations move to SNMPv3, apply or mitigate CVE-2018-0171, and how enforcement of the sanctions affects the proxy networks named by authorities.

Original story