Global Warning on Russian Router Attacks

Russian state-sponsored actors are exploiting poorly configured and unpatched network devices across critical infrastructure worldwide, using weaknesses as basic as default SNMP community strings, a 20-agency international advisory warns.

The joint advisory, Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting, was released in July 2026 by the US National Security Agency, CISA and the FBI. Co-sealing agencies include the Australian Signals Directorate's Australian Cyber Security Centre and New Zealand's National Cyber Security Centre, alongside agencies from the UK, Canada and eight European nations.

The advisory attributes the activity to Russian Federal Security Service (FSB) Center 16 actors, tracked in industry reporting under names including Berserk Bear, Dragonfly, Ghost Blizzard and Static Tundra. The campaign has run for more than a decade and opportunistically compromises networks across multiple critical infrastructure sectors.

Sectors most at risk include communications, energy, financial services, healthcare, defence industrial base, and government services, particularly at state and local level.

How the Attacks Work

The actors scan internet IP ranges for active SNMP agents that accept common or default community strings. Using spoofed requests, they instruct poorly configured devices to copy their configuration files, often named "config.bkp" or "output.txt". The files are then transferred, typically via TFTP, to actor-controlled servers.

The actors also occasionally exploit known vulnerabilities in Cisco devices, including CVE-2018-0171 in Cisco's Smart Install functionality. The advisory notes many of these techniques overlap with activity by other actors, such as Salt Typhoon, so the mitigations offer broader protection.

The agencies recommend disabling Cisco Smart Install on all devices and replacing SNMPv1 and v2 with SNMPv3 configured for authentication and encryption. Where legacy SNMP cannot be removed, default community strings must be changed and read-write access disabled.

Other measures include strong unique passwords stored with secure hashing types, allow-lists restricting SNMP access to management devices, and blocking external traffic on TFTP, Smart Install and SNMP ports unless mission critical. Organisations should patch network device firmware and replace end-of-life hardware.

 

Business Solution