CISA, NSA, the FBI, and international partners are warning that Russian Federal Security Service Center 16 actors are exploiting poorly configured and vulnerable networking devices. Joint advisory AA26-194A specifically highlights abuse of Simple Network Management Protocol configuration-copy functions, transfers over Trivial File Transfer Protocol, Cisco Smart Install exposure, Internet-reachable management services, and weak Cisco password-storage types.
The advisory names communications, defense, energy, financial services, government, and healthcare as high-risk sectors. Organizations in those sectors should treat the warning as an immediate priority. The underlying hardening practices are also prudent for any organization operating Internet-connected routers, switches, or network-management services.
The activity is tracked under several industry names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. Whatever label a security team uses, the immediate response is the same: reduce management-plane exposure, disable obsolete or unnecessary services, and look for configuration-copy activity that does not match authorized administration.
Do not wait for a complete architecture review before addressing the most dangerous exposures. In the first 30 minutes:
A central concern is abuse of SNMP Set-Requests. Where an exposed SNMP service permits the relevant write operation, a requester can use Object Identifiers, or OIDs, associated with device administration. The device may then perform a configuration-copy action through its own management functionality.
According to the joint advisory, the actors have directed devices to create configuration copies with names such as
This can resemble unauthorized administration rather than conventional malware execution. Endpoint security installed on Windows workstations and servers may not observe the initiating action because it occurs on a router or switch. Network telemetry, device logs, firewall records, and configuration auditing are therefore essential parts of detection.
The FBI’s 2025 alert I-082025-PSA previously warned about Russian government actors targeting networking devices and critical infrastructure. AA26-194A provides additional technical indicators and mitigation priorities for defenders responding to FSB Center 16 activity.
That makes configuration theft more than a routine backup-policy violation. It can support follow-on activity by giving an attacker information that should be limited to trusted administrators. Defenders should consequently treat an unexplained configuration copy or transfer as a potential security incident, not merely an unusual maintenance task.
The most useful response is to compare device behavior with a known administrative workflow:
Version selection is only one part of the control. Administrators must also restrict which hosts can contact the SNMP service and limit the objects that an authorized account can access. A Management Information Base, or MIB, allow list can reduce the set of permitted operations rather than giving every management account broad access.
If an organization cannot immediately remove SNMPv1 or SNMPv2, it should follow the joint advisory’s interim safeguards, including changing default community strings and limiting access to read-only rather than read-write. That is a temporary risk-reduction step, not a reason to defer migration indefinitely.
Verification must test the effective control, not just the intended configuration. After a change:
Detection should go beyond alerting whenever UDP 161 is contacted. Useful logic includes:
External communication over TCP 4786 should be denied unless an organization has a documented, mission-critical requirement. Even then, the service should not be broadly Internet-accessible. Administrators should verify both that the feature is disabled on the device and that external traffic to the port is blocked.
TFTP also appears in the observed configuration-copy workflow. The advisory recommends denying external communications over UDP 69 unless they are mission-critical. Organizations that legitimately use TFTP should document the expected source, destination, direction, and schedule, then alert on transfers that fall outside that pattern.
The same exposure-reduction principle applies to UDP 161 and 162 and TCP or UDP 10161 and 10162. Using a stronger protocol setting does not justify exposing a management service to arbitrary Internet hosts. Only approved management systems should have a network path to required device-management services.
The advisory also clarifies that CVE-2008-4128 affects end-of-life Cisco devices. Administrators should not treat that CVE as applying to every Cisco product. They should, however, identify unsupported equipment and plan replacement rather than assuming that firewall controls can permanently compensate for hardware or software that no longer receives normal vendor support.
Administrators should apply that recommendation without relying on an oversimplified visual inspection of the configuration. The fact that a password value is not immediately recognizable does not establish that the configured storage type meets current guidance. The device configuration should be audited specifically for the declared Cisco password type.
A practical review should:
That scope should not be expanded into a claim that every organization faces the same assessed threat level. However, disabling unnecessary management services, restricting administrative access, using SNMPv3
The advisory is associated with NSA, CISA, the FBI, the Department of Defense Cyber Crime Center, and international partners from Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden. For administrators, the useful takeaway is not the number of participating agencies but the consistency of the recommended controls.
2022: NSA publishes Cisco password-types best-practices guidance.
2023: NSA publishes its Network Infrastructure Security Guide.
2025: The FBI issues alert I-082025-PSA concerning Russian government actors targeting networking devices and critical infrastructure.
AA26-194A publication: CISA and its partners provide technical details, indicators, and mitigations for FSB Center 16 activity involving poorly configured and vulnerable networking devices.
The timeline shows that the central defensive measures are not dependent on a newly disclosed product flaw. They are established hardening steps that need to be applied and verified.
At a minimum, security operations should receive:
Configuration baselines should be stored in a controlled repository separate from the managed device. That gives administrators an independent record for comparing approved settings with the current running configuration. Access to those backups should be restricted because the files themselves are sensitive.
Organizations that complete those steps will have reduced the attack surface before the next scan arrives. Those that also retain device telemetry, maintain independent configuration baselines, and correlate SNMP operations with outbound transfers will be in a much stronger position to recognize attempted configuration theft before it becomes the foundation for a broader intrusion.
The advisory names communications, defense, energy, financial services, government, and healthcare as high-risk sectors. Organizations in those sectors should treat the warning as an immediate priority. The underlying hardening practices are also prudent for any organization operating Internet-connected routers, switches, or network-management services.
The activity is tracked under several industry names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. Whatever label a security team uses, the immediate response is the same: reduce management-plane exposure, disable obsolete or unnecessary services, and look for configuration-copy activity that does not match authorized administration.
First 30 Minutes: Reduce Exposure Now
Do not wait for a complete architecture review before addressing the most dangerous exposures. In the first 30 minutes:- Identify Internet-facing network-management interfaces.
Review external firewall rules, NAT mappings, cloud security controls, device access lists, and the organization’s external attack-surface inventory. From an authorized external scanner, test public addresses for the management ports listed below. Confirm findings with the network team so that a filtered port is not mistaken for a disabled service. - Block the listed external ports where they are not mission-critical.
Deny unnecessary Internet-originated traffic to UDP 69, UDP 161, UDP 162, TCP 4786, and TCP or UDP 10161 and 10162. Apply the control at the external firewall or upstream enforcement point, then repeat the authorized external scan to verify that the services are no longer reachable. - Disable Cisco Smart Install, also called SMI.
Check the device’s running configuration and service status using the vendor-supported management interface. Disable Smart Install on every device where it is present, then verify externally that TCP 4786 is not reachable and internally that the service is no longer listening. - Disable SNMPv1 and SNMPv2.
Review each device’s active SNMP configuration rather than relying only on an inventory database. Remove legacy-version configuration where operationally possible. Verify the result by attempting authorized polling with SNMPv1 and SNMPv2 from a management host and confirming that both attempts fail. - Verify SNMPv3
authPrivand authorized management-host restrictions.
Confirm that required monitoring still works through SNMPv3 with authentication and privacy enabled. Check that only explicitly authorized management systems can reach the service and that permitted accounts have only the required object access. Test from both an authorized host and an unauthorized network location.
Russia Is Abusing Router Administration Functions
AA26-194A describes activity in which FSB Center 16 actors scan Internet address ranges for networking devices and management services. The advisory maps this behavior to Active Scanning—Scanning IP Blocks, T1595.001, and Active Scanning—Vulnerability Scanning, T1595.002.A central concern is abuse of SNMP Set-Requests. Where an exposed SNMP service permits the relevant write operation, a requester can use Object Identifiers, or OIDs, associated with device administration. The device may then perform a configuration-copy action through its own management functionality.
According to the joint advisory, the actors have directed devices to create configuration copies with names such as
config.bkp and output.txt. The resulting file can then be transferred using TFTP to actor-controlled infrastructure. The advisory also discusses compromised FTP servers in connection with configuration transfers.This can resemble unauthorized administration rather than conventional malware execution. Endpoint security installed on Windows workstations and servers may not observe the initiating action because it occurs on a router or switch. Network telemetry, device logs, firewall records, and configuration auditing are therefore essential parts of detection.
The FBI’s 2025 alert I-082025-PSA previously warned about Russian government actors targeting networking devices and critical infrastructure. AA26-194A provides additional technical indicators and mitigation priorities for defenders responding to FSB Center 16 activity.
Detection and containment values
Category Exact value Defensive use Cisco Config Copy OID 1.3.6.1.4.1.9.9.96.1.1Alert on inbound SNMP Set-Requests involving this configuration-copy object Cisco Config Copy Server Address OID 1.3.6.1.4.1.9.9.96.1.1.1.1.5Examine the specified transfer destination and compare it with approved management infrastructure Observed filename config.bkpInvestigate unexpected creation or transfer Observed filename output.txtInvestigate unexpected creation or transfer TFTP UDP 69Block externally unless mission-critical; correlate transfers with SNMP Set-Requests SNMP UDP 161Block externally unless mission-critical; inspect requests from unauthorized sources SNMP traps UDP 162Block unnecessary external access Cisco Smart Install TCP 4786Disable SMI and verify the port is not externally reachable SNMPv3-related management ports identified by the advisory TCP/UDP 10161and10162Block externally unless mission-critical and explicitly authorized Configuration-transfer protocol TFTP Treat unapproved transfers from network devices as high-priority events Additional transfer protocol discussed by the advisory FTP Review device-originated transfers to destinations outside approved infrastructure
Why Configuration-Copy Abuse Matters
A router configuration is operationally sensitive. Even without assuming that every copied file contains the same information, unauthorized access to device configuration can help an actor understand how the device is administered and which controls are in effect.That makes configuration theft more than a routine backup-policy violation. It can support follow-on activity by giving an attacker information that should be limited to trusted administrators. Defenders should consequently treat an unexplained configuration copy or transfer as a potential security incident, not merely an unusual maintenance task.
The most useful response is to compare device behavior with a known administrative workflow:
- Which systems are allowed to issue SNMP Set-Requests?
- Which accounts may invoke configuration-copy objects?
- Which destinations are approved to receive backups?
- Which protocols are approved for configuration transfer?
- What filenames, transfer times, and change windows are expected?
- Does the destination belong to the organization or an approved service provider?
SNMPv3 Is Necessary, but It Still Requires Restrictions
The agencies recommend disabling SNMPv1 and SNMPv2 and using SNMPv3 withauthPriv, configured with the most modern encryption standard supported by the device. The authPriv setting provides both authentication and privacy for the management session.Version selection is only one part of the control. Administrators must also restrict which hosts can contact the SNMP service and limit the objects that an authorized account can access. A Management Information Base, or MIB, allow list can reduce the set of permitted operations rather than giving every management account broad access.
| Management option | Security posture | Primary risk | Recommended treatment |
|---|---|---|---|
| SNMPv1 | Legacy SNMP version | Exposure of an obsolete management service and potentially excessive access | Disable |
| SNMPv2 | Legacy SNMP version | Similar management-plane exposure when unnecessarily reachable or writable | Disable |
SNMPv3 with authPriv | Authentication and privacy enabled | Remains risky if exposed broadly or granted excessive object access | Use with modern supported encryption, authorized-host restrictions, and MIB allow lists |
| Cisco Smart Install | Automated installation and deployment functionality | Can be abused when enabled and exposed | Disable on all devices in accordance with the advisory |
Verification must test the effective control, not just the intended configuration. After a change:
- Poll the device with SNMPv3
authPrivfrom an authorized management host and confirm that required monitoring succeeds. - Attempt the same authorized operation from a network location that is not on the permitted management-host list and confirm that it fails.
- Attempt SNMPv1 and SNMPv2 polling from the authorized host and confirm that the legacy versions are rejected.
- Attempt a write operation only in a controlled maintenance window and only if the test is approved. Confirm that accounts intended for read-only monitoring cannot issue Set-Requests.
- Review device and firewall logs to ensure that denied requests are visible to monitoring personnel.
Turn the OIDs Into Detection Logic
AA26-194A gives defenders two concrete Cisco objects to monitor:- Cisco Config Copy OID:
1.3.6.1.4.1.9.9.96.1.1 - Cisco Config Copy Server Address OID:
1.3.6.1.4.1.9.9.96.1.1.1.1.5
Detection should go beyond alerting whenever UDP 161 is contacted. Useful logic includes:
- Alert when an SNMP Set-Request involving either listed OID comes from a host outside the approved management inventory.
- Alert when the server-address value points to a destination outside approved backup infrastructure.
- Correlate the Set-Request with an outbound TFTP session from the same network device.
- Search transfer metadata and available device telemetry for
config.bkporoutput.txt. - Escalate when a device contacts a new or unapproved TFTP or FTP destination.
- Compare the event time with maintenance windows, change tickets, and scheduled backup jobs.
- Review whether the account or SNMPv3 principal had a legitimate need for write access.
Old Services Continue to Create Avoidable Exposure
Cisco Smart Install is another priority in the advisory. NSA guidance issued in 2017 addressed Smart Install misuse and recommended disabling the feature. AA26-194A again tells organizations to disable Cisco Smart Install on all devices.External communication over TCP 4786 should be denied unless an organization has a documented, mission-critical requirement. Even then, the service should not be broadly Internet-accessible. Administrators should verify both that the feature is disabled on the device and that external traffic to the port is blocked.
TFTP also appears in the observed configuration-copy workflow. The advisory recommends denying external communications over UDP 69 unless they are mission-critical. Organizations that legitimately use TFTP should document the expected source, destination, direction, and schedule, then alert on transfers that fall outside that pattern.
The same exposure-reduction principle applies to UDP 161 and 162 and TCP or UDP 10161 and 10162. Using a stronger protocol setting does not justify exposing a management service to arbitrary Internet hosts. Only approved management systems should have a network path to required device-management services.
The advisory also clarifies that CVE-2008-4128 affects end-of-life Cisco devices. Administrators should not treat that CVE as applying to every Cisco product. They should, however, identify unsupported equipment and plan replacement rather than assuming that firewall controls can permanently compensate for hardware or software that no longer receives normal vendor support.
Password Storage Can Increase the Impact of Configuration Theft
AA26-194A includes specific Cisco password-storage guidance. For Cisco user credentials, the advisory recommends Type 8 and says to avoid Types 0, 4, and 7.Administrators should apply that recommendation without relying on an oversimplified visual inspection of the configuration. The fact that a password value is not immediately recognizable does not establish that the configured storage type meets current guidance. The device configuration should be audited specifically for the declared Cisco password type.
A practical review should:
- Export or inspect the configuration through an authorized administrative process.
- Identify every Cisco user credential entry and its configured password type.
- Flag Types 0, 4, and 7 for remediation.
- Migrate supported credentials to Type 8 in accordance with Cisco documentation for the exact platform and release.
- Confirm that required administration still works after the change.
- Protect configuration backups and limit access to personnel and systems with a documented operational need.
The Named Sectors Face the Highest Stated Risk
The advisory identifies communications, defense, energy, financial services, government, and healthcare organizations as high-risk sectors. Organizations in those categories should prioritize exposed management interfaces and vulnerable or poorly configured networking devices in incident-response and remediation queues.That scope should not be expanded into a claim that every organization faces the same assessed threat level. However, disabling unnecessary management services, restricting administrative access, using SNMPv3
authPriv, monitoring sensitive OIDs, and replacing end-of-life equipment are generally prudent practices for networks outside the named sectors as well.The advisory is associated with NSA, CISA, the FBI, the Department of Defense Cyber Crime Center, and international partners from Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden. For administrators, the useful takeaway is not the number of participating agencies but the consistency of the recommended controls.
Timeline
2017: NSA publishes guidance addressing Cisco Smart Install protocol misuse and recommends disabling the feature.2022: NSA publishes Cisco password-types best-practices guidance.
2023: NSA publishes its Network Infrastructure Security Guide.
2025: The FBI issues alert I-082025-PSA concerning Russian government actors targeting networking devices and critical infrastructure.
AA26-194A publication: CISA and its partners provide technical details, indicators, and mitigations for FSB Center 16 activity involving poorly configured and vulnerable networking devices.
The timeline shows that the central defensive measures are not dependent on a newly disclosed product flaw. They are established hardening steps that need to be applied and verified.
Network-Device Events Belong in Security Operations
Windows-focused security teams do not need to take ownership of router engineering, but they should ensure that network-device incidents enter the same investigation process as identity, endpoint, VPN, and firewall alerts.At a minimum, security operations should receive:
- Network-device authentication events.
- SNMP access and Set-Request events where the platform can provide them.
- Firewall records for the listed management and transfer ports.
- TFTP and FTP transfer telemetry involving routers and switches.
- Alerts for the two Cisco configuration-copy OIDs.
- Notifications when a network device contacts a new external destination.
- Results from scheduled external scans of public management exposure.
- Configuration-drift findings based on an approved baseline.
output.txt, is substantially more actionable than a generic SNMP-port alert.Configuration baselines should be stored in a controlled repository separate from the managed device. That gives administrators an independent record for comparing approved settings with the current running configuration. Access to those backups should be restricted because the files themselves are sensitive.
Admin implementation and verification checklist
- [ ] Inventory every Internet-facing router, switch, firewall appliance, and network-management interface, including end-of-life devices.
- [ ] Validate the inventory with an authorized external scan rather than relying only on internal records.
- [ ] Deny unnecessary external traffic on UDP 69, UDP 161, UDP 162, TCP 4786, and TCP/UDP 10161 and 10162.
- [ ] Repeat the external scan and preserve evidence that the ports are blocked or no longer listening.
- [ ] Disable Cisco Smart Install using the vendor-documented procedure for the exact platform and release.
- [ ] Confirm on the device that SMI is disabled, then verify that TCP 4786 is not externally reachable.
- [ ] Disable SNMPv1 and SNMPv2.
- [ ] Test from an authorized management host and confirm that legacy-version polling fails.
- [ ] Configure required SNMP access through SNMPv3 with
authPrivand the most modern encryption supported by the device. - [ ] Confirm that authorized monitoring succeeds through SNMPv3
authPriv. - [ ] Restrict SNMP access to approved management hosts and test from an unauthorized location to confirm rejection.
- [ ] Implement MIB allow lists or the platform’s documented equivalent so accounts can access only required objects.
- [ ] Alert on Set-Requests involving
1.3.6.1.4.1.9.9.96.1.1. - [ ] Alert on Set-Requests involving
1.3.6.1.4.1.9.9.96.1.1.1.1.5. - [ ] Investigate unexpected
config.bkpandoutput.txtfiles or transfers. - [ ] Correlate sensitive SNMP Set-Requests with device-originated TFTP or FTP traffic.
- [ ] Audit Cisco user credentials for Type 8 and remediate Types 0, 4, and 7.
- [ ] Store approved configuration baselines separately from the devices and monitor for drift.
- [ ] Patch supported firmware and software using the vendor’s documented process.
- [ ] Create a replacement plan for end-of-life equipment.
The Decisions That Matter Before the Next Scan Arrives
AA26-194A’s most useful conclusions are operational:- FSB Center 16 is targeting poorly configured and vulnerable networking devices.
- SNMP Set-Requests can abuse legitimate configuration-copy functionality.
- The Cisco configuration-copy OIDs give defenders precise detection targets.
- TFTP transfers and the filenames
config.bkpandoutput.txtprovide additional correlation points. - SNMPv1 and SNMPv2 should be disabled.
- Required SNMP should use SNMPv3
authPriv, authorized-host restrictions, and limited object access. - Cisco Smart Install should be disabled.
- Unnecessary external access to UDP 69, UDP 161, UDP 162, TCP 4786, and TCP/UDP 10161 and 10162 should be blocked.
- Cisco password Types 0, 4, and 7 should be replaced with Type 8 in accordance with the advisory and applicable Cisco documentation.
- End-of-life equipment should be treated as a replacement issue.
Organizations that complete those steps will have reduced the attack surface before the next scan arrives. Those that also retain device telemetry, maintain independent configuration baselines, and correlate SNMP operations with outbound transfers will be in a much stronger position to recognize attempted configuration theft before it becomes the foundation for a broader intrusion.
References
- Primary source: CISA
Published: 2026-07-13T12:00:00+00:00
- Related coverage: infosecurity-magazine.com
Russian State Hackers Target Vulnerable Routers Worldwide - Infosecurity Magazine
Cybersecurity agencies from 12 countries have warned that Russian state-backed hackers are actively targeting vulnerable routers using weak SNMP credentialswww.infosecurity-magazine.com
- Related coverage: aha.org