Skip to content

Russian State-Sponsored Actors Target Vulnerable Routers Across Critical Infrastructure

A joint cybersecurity advisory warns that cyber actors linked to the Russian Federal Security Service’s Center 16 continue to compromise poorly configured and vulnerable networking devices worldwide. The activity is associated with threat clusters tracked as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra.

The actors primarily scan internet-facing IP ranges for routers running SNMPv1 or SNMPv2 with default, common, or otherwise weak community strings. After locating an exposed device, they can send specially crafted SNMP Set-Requests that instruct the router to copy its configuration into a file, commonly named config.bkp or output.txt, and transfer it through TFTP to attacker-controlled infrastructure or a compromised FTP server.

Stolen router configurations may expose network details and credentials, particularly when passwords are stored in plaintext or protected with weak Cisco hashing types. The actors have also exploited Cisco Smart Install and known vulnerabilities, including CVE-2018-0171 and CVE-2008-4128, to gain access to networking devices.

The sectors considered most at risk include communications, defense, energy, financial services, government services, and healthcare. State and local government organizations are highlighted as particularly exposed. The advisory notes that the same weaknesses and techniques may also be used by other state-sponsored groups, including Salt Typhoon.

Organizations are urged to migrate to SNMPv3 with strong authentication and encryption, disable SNMPv1 and SNMPv2, remove default community strings, disable Cisco Smart Install, and use strong unique credentials. Network administrators should also restrict management traffic through access control lists, monitor suspicious SNMP requests, patch vulnerable devices, replace end-of-life equipment, and block unnecessary external access to TFTP, SMI, and SNMP ports.

Source (PDF): https://www.ic3.gov/CSA/2026/260713.pdf

Latest