Cybersecurity agencies from the United States and eight allied countries have issued a joint advisory warning that Russian state-sponsored hackers are actively targeting vulnerable and poorly configured routers to gain footholds in critical infrastructure networks.

The advisory, co-authored by the NSA, FBI, and CISA along with 15 additional agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France, and Italy, attributes the activity to hackers from the Russian Federal Security Service (FSB) Center 16. The group is also tracked under names including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra.

How the attacks work

According to the advisory, the group scans internet-connected IP ranges for routers still using default or common SNMP authentication strings. Once identified, the attackers issue commands using spoofed IP addresses to copy device configuration files, then exfiltrate them via TFTP to servers under their control.

The UK’s National Cyber Security Centre noted that while SNMP scanning is the group’s primary method, it has also exploited known vulnerabilities in Cisco devices, including the Smart Install feature, as well as web-portal flaws to seize control of network devices. A related FBI warning from August 2025 flagged the group’s use of CVE-2018-0171, a critical vulnerability in the Smart Install feature of Cisco IOS and IOS XE software, in campaigns dating back to November 2021.

Sectors most at risk include energy, communications, defense industrial base, healthcare, financial services, defense, and state and local government services.

Recommended mitigations

The authoring agencies recommend that network defenders take the following steps:

  • Upgrade to SNMPv3
  • Disable Cisco Smart Install where not required
  • Enforce strong, unique passwords and community strings
  • Block TFTP and SNMP traffic at edge firewalls
  • Keep software and firmware up to date
  • Replace end-of-life network devices

Related takedown

The advisory follows an international law enforcement operation that dismantled FrostArmada, a separate campaign attributed to APT28 (also known as Fancy Bear or Forest Blizzard, linked to GRU unit 26165). That operation had compromised roughly 18,000 routers across 120 countries by December 2025, altering DNS settings on MikroTik and TP-Link SOHO devices to redirect authentication traffic and steal Microsoft 365 credentials and OAuth tokens. With support from the Department of Justice, the Polish government, and several cybersecurity firms, the FBI executed a court-authorized operation to remotely remove the malicious DNS settings and restore legitimate resolver connections on affected devices.