Skip to content
Tech News
← Back to articles

US and allies warn of Russian critical infrastructure attacks

read original more articles

Cybersecurity agencies from the United States and eight other countries have issued a joint warning that Russian state hackers are targeting vulnerable and poorly configured routers to infiltrate critical infrastructure networks.

The joint advisory, co-authored by the NSA, FBI, and CISA, along with 15 other agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France, and Italy, attributes the attacks to hackers from the Russian Federal Security Service (FSB) Center 16.

This hacking group (tracked as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra) scans internet-connected IP address ranges for routers accepting default or common SNMP authentication strings, then issues commands using spoofed IP addresses to copy device configuration files and exfiltrate them via the Trivial File Transfer Protocol to actor-controlled servers.

In August 2025, the FBI also warned that the same group has been targeting critical infrastructure using a critical vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software (tracked as CVE-2018-0171) since November 2021.

The sectors most at risk from these attacks include energy, communications, defense industrial base, healthcare, financial services, defense, and state and local government services.

"Centre 16 [..] has been seen hunting for vulnerable routers by scanning the internet for devices that still use default or weak Simple Network Management Protocol (SNMP) passwords and community strings," the UK National Cyber Security Centre warned on Monday.

"Whilst the actor primarily uses SNMP scans to locate and compromise vulnerable routers, they have also exploited well-known vulnerabilities relating to Cisco devices, Cisco's Smart Install (SMI) feature and web-portal flaws to gain control of network devices."

The authoring cybersecurity also provided mitigation measures to help network defenders harden their networks against these attacks, urging them to upgrade to SNMPv3, disable Cisco Smart Install, enforce strong unique passwords, block TFTP and SNMP traffic at edge firewalls, update software and firmware, and replace end-of-life devices.

Mitigation actions (FBI)

​This advisory follows an international law enforcement operation that disrupted FrostArmada, a separate campaign attributed to APT28 (a Russian military intelligence group linked to GRU unit 26165, also tracked as Fancy Bear and Forest Blizzard) that had infected 18,000 routers across 120 countries by December 2025.

... continue reading