Cybersecurity agencies from the United States and eight partner nations have issued a joint advisory warning that Russian state‑backed hackers are exploiting weak routers to infiltrate critical infrastructure, endangering sectors such as energy, health and finance.
मुख्य बिंदु (Key Takeaways)
- Russian state hackers are scanning for default or weak SNMP credentials to compromise routers.
- They combine SNMP exploits with Cisco Smart Install vulnerabilities to exfiltrate data.
- Energy, healthcare, finance and government networks are most at risk; upgrade to SNMPv3 and disable Smart Install.
The United States, together with Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France and Italy, has released a joint advisory co‑authored by the NSA, FBI and CISA. The notice attributes the activity to the Russian Federal Security Service (FSB) Center 16, a group known in intelligence circles as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.
How the Group Operates
The attackers sweep internet‑connected IP ranges for routers still accepting default or common Simple Network Management Protocol (SNMP) strings. Using spoofed IP addresses, they issue commands to copy configuration files and exfiltrate them via the Trivial File Transfer Protocol (TFTP) to servers under their control.
Previous Campaigns
In August 2025, the FBI warned that the same group had been exploiting a critical vulnerability in Cisco’s Smart Install feature (CVE‑2018‑0171) since November 2021. That vulnerability allowed the actors to gain footholds in networks spanning energy, communications and defense sectors.
Sectors Under Threat
Energy, communications, defense industrial base, healthcare, financial services, and state‑and‑local government services are identified as the most vulnerable. The UK National Cyber Security Centre echoed the US warning, stating that “Centre 16 has been seen hunting for vulnerable routers by scanning the internet for devices that still use default or weak SNMP passwords and community strings.”
Mitigation Recommendations
Cyber experts urge organisations to upgrade to SNMPv3, disable Cisco Smart Install, enforce strong unique passwords, block TFTP and SNMP traffic at edge firewalls, keep software and firmware up‑to‑date, and retire end‑of‑life devices. Prompt implementation of these measures can dramatically reduce the attack surface.