The UK’s National Cyber Security Centre has urged operators in communications, defence, energy, finance, government and healthcare to harden routers immediately against an ongoing Russian intelligence campaign. Published on July 13 alongside 18 partner agencies from 12 countries, the advisory says cyber actors linked to Centre 16 of Russia’s Federal Security Service are scanning globally for poorly configured network devices and exploiting them opportunistically.
Detailed in the joint advisory led by the US National Security Agency and co-signed by the NCSC, the activity does not depend on a novel zero-day vulnerability. The attackers are finding exposed management services, weak Simple Network Management Protocol credentials and outdated Cisco features that should already have been restricted or retired.
That makes this warning unusually actionable. Administrators are being told to move to SNMPv3, disable older SNMP versions where possible, remove default credentials, restrict management traffic to trusted systems and replace network equipment that can no longer receive security updates.
Centre 16 is tracked by security companies under several overlapping names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra. The agencies caution that vendor naming does not always map neatly to government attribution, but the common thread is a long-running Russian state interest in critical infrastructure and the network equipment supporting it.
The campaign primarily scans internet address ranges for routers running active SNMP agents. Attackers look for devices that accept common or default community strings, the shared secrets used by SNMPv1 and SNMPv2 for authentication.
Where writable access is available, a malicious SNMP Set-Request can instruct a router to copy its configuration into a file. That file may then be transferred through TFTP or FTP to infrastructure controlled or compromised by the attacker.
A stolen router configuration is more than an inventory document. It can disclose interface details, access-control rules, network topology, management addresses and locally stored credentials, giving the operator a map for deeper intrusion. Weak Cisco password formats may also expose secrets that can be recovered or reused elsewhere.
The advisory says Centre 16 has additionally targeted Cisco Smart Install and web-based device management portals. It identifies exploitation associated with CVE-2018-0171 and CVE-2008-4128, the latter affecting end-of-life Cisco equipment.
This is a campaign built around configuration debt: legacy protocols left enabled, forgotten devices at branch sites, reused passwords and management interfaces exposed because they were convenient during deployment. Sophisticated state backing matters, but the initial opening may be an old router running settings that should have been removed years ago.
Administrators should use the strongest modern encryption mode supported by each device. If legacy SNMP remains operationally necessary, community strings must be changed from defaults, access should be restricted to known management hosts, and read-only permissions should be used rather than read-write access.
The warning presents a practical baseline for network teams:
For Windows-oriented environments, the work will often extend beyond the router itself. Windows Server-based monitoring systems, management applications and older operational technology tools may still assume SNMPv1 or SNMPv2 connectivity. Moving to SNMPv3 therefore requires checking collector support, updating stored credentials and validating alerting before the legacy protocol is switched off.
That dependency is not a reason to postpone migration indefinitely. It is a reason to treat the change as a controlled infrastructure project rather than a last-minute firewall edit.
Local accounts deserve similar scrutiny. The agencies recommend centralised authentication for network equipment, with multi-factor authentication where feasible, while reserving local accounts for emergencies. Any account appearing outside normal naming conventions, or a routine login using a supposed break-glass credential, should be investigated.
Control of a network device can also help an attacker conceal later activity. Compromised routers may be used as proxies, making malicious connections appear to originate from a familiar address or an unrelated victim network. The advisory notes that Centre 16 has used leased virtual private servers and compromised infrastructure when conducting its operations.
This creates a detection problem for security teams accustomed to focusing on malware. There may be no suspicious executable on a Windows host at the start of the intrusion. The earliest evidence could instead be an unusual SNMP request, a configuration export, an outbound TFTP transfer or an unexpected change to a device account.
Network-device logs should consequently feed into the same security monitoring and retention processes applied to Windows, identity and cloud telemetry. If router logs are stored only on the router, an attacker controlling that device may be able to alter or erase the most useful evidence.
The agencies also observe that these techniques overlap with those used by other advanced threat groups, including Salt Typhoon. The recommended controls therefore have value beyond the campaign named in this advisory: reducing exposed management services and improving router hygiene closes opportunities used by multiple state and criminal actors.
The UK and EU also formally attributed an unsuccessful December 2025 attack against Poland’s energy grid to FSB Centre 16. According to the UK government, the operation could have interrupted electricity supplies to 500,000 people during winter had it succeeded.
That attribution gives the router advisory a sharper operational context. The concern is not simply that an intelligence service could collect configuration files; it is that access obtained through weak edge devices may support reconnaissance or operations against services whose disruption has physical and economic consequences.
NCSC Director of National Resilience Jonathon Ellison said Russian cyber actors persistently exploit vulnerabilities wherever they encounter them and urged organisations responsible for critical UK networks to implement the joint guidance immediately. The centre is also directing organisations towards Cyber Essentials certification and its updated Cyber Assessment Framework to measure security maturity and address wider weaknesses.
Certification alone will not locate every forgotten router. The immediate milestone for administrators is more concrete: inventory every internet-facing network device, establish which SNMP versions and management services are enabled, confirm whether firmware remains supported, and identify who can access the management plane.
Centre 16’s scanning is opportunistic, which means organisations do not need to be individually selected before they are exposed. If a vulnerable router answers on the public internet, that may be enough to place a critical network in the path of a Russian intelligence operation.
Detailed in the joint advisory led by the US National Security Agency and co-signed by the NCSC, the activity does not depend on a novel zero-day vulnerability. The attackers are finding exposed management services, weak Simple Network Management Protocol credentials and outdated Cisco features that should already have been restricted or retired.
That makes this warning unusually actionable. Administrators are being told to move to SNMPv3, disable older SNMP versions where possible, remove default credentials, restrict management traffic to trusted systems and replace network equipment that can no longer receive security updates.
Centre 16 Is Hunting for Configuration Debt
Centre 16 is tracked by security companies under several overlapping names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra. The agencies caution that vendor naming does not always map neatly to government attribution, but the common thread is a long-running Russian state interest in critical infrastructure and the network equipment supporting it.The campaign primarily scans internet address ranges for routers running active SNMP agents. Attackers look for devices that accept common or default community strings, the shared secrets used by SNMPv1 and SNMPv2 for authentication.
Where writable access is available, a malicious SNMP Set-Request can instruct a router to copy its configuration into a file. That file may then be transferred through TFTP or FTP to infrastructure controlled or compromised by the attacker.
A stolen router configuration is more than an inventory document. It can disclose interface details, access-control rules, network topology, management addresses and locally stored credentials, giving the operator a map for deeper intrusion. Weak Cisco password formats may also expose secrets that can be recovered or reused elsewhere.
The advisory says Centre 16 has additionally targeted Cisco Smart Install and web-based device management portals. It identifies exploitation associated with CVE-2018-0171 and CVE-2008-4128, the latter affecting end-of-life Cisco equipment.
This is a campaign built around configuration debt: legacy protocols left enabled, forgotten devices at branch sites, reused passwords and management interfaces exposed because they were convenient during deployment. Sophisticated state backing matters, but the initial opening may be an old router running settings that should have been removed years ago.
The Priority Is the Management Plane
The agencies’ central recommendation is to replace SNMPv1 and SNMPv2 with SNMPv3 configured for authentication and encryption. Unlike the older versions, SNMPv3 can protect both the identity of the communicating systems and the contents of management traffic.Administrators should use the strongest modern encryption mode supported by each device. If legacy SNMP remains operationally necessary, community strings must be changed from defaults, access should be restricted to known management hosts, and read-only permissions should be used rather than read-write access.
The warning presents a practical baseline for network teams:
- Disable Cisco Smart Install on every device where it remains active.
- Permit SNMP and other management protocols only from authorised management systems, preferably through a dedicated out-of-band network.
- Block unnecessary external access to TFTP, Smart Install and SNMP ports at the network edge.
- Use strong, unique local device passwords and store them in an approved credential-management system.
- Monitor for unexpected local accounts and logins that do not match organisational naming conventions.
- Patch supported network devices and replace equipment that has reached end of life.
- Inspect inbound SNMP Set-Requests for attempts to access sensitive configuration data or trigger configuration exports.
For Windows-oriented environments, the work will often extend beyond the router itself. Windows Server-based monitoring systems, management applications and older operational technology tools may still assume SNMPv1 or SNMPv2 connectivity. Moving to SNMPv3 therefore requires checking collector support, updating stored credentials and validating alerting before the legacy protocol is switched off.
That dependency is not a reason to postpone migration indefinitely. It is a reason to treat the change as a controlled infrastructure project rather than a last-minute firewall edit.
Local accounts deserve similar scrutiny. The agencies recommend centralised authentication for network equipment, with multi-factor authentication where feasible, while reserving local accounts for emergencies. Any account appearing outside normal naming conventions, or a routine login using a supposed break-glass credential, should be investigated.
A Router Compromise Can Become a Network Compromise
Routers sit in a useful position for espionage because they handle traffic while often receiving less monitoring than Windows endpoints and servers. Endpoint detection tools may provide extensive telemetry from a domain controller or administrator workstation while offering no visibility into an aging switch or router operating at the perimeter.Control of a network device can also help an attacker conceal later activity. Compromised routers may be used as proxies, making malicious connections appear to originate from a familiar address or an unrelated victim network. The advisory notes that Centre 16 has used leased virtual private servers and compromised infrastructure when conducting its operations.
This creates a detection problem for security teams accustomed to focusing on malware. There may be no suspicious executable on a Windows host at the start of the intrusion. The earliest evidence could instead be an unusual SNMP request, a configuration export, an outbound TFTP transfer or an unexpected change to a device account.
Network-device logs should consequently feed into the same security monitoring and retention processes applied to Windows, identity and cloud telemetry. If router logs are stored only on the router, an attacker controlling that device may be able to alter or erase the most useful evidence.
The agencies also observe that these techniques overlap with those used by other advanced threat groups, including Salt Typhoon. The recommended controls therefore have value beyond the campaign named in this advisory: reducing exposed management services and improving router hygiene closes opportunities used by multiple state and criminal actors.
The Warning Lands Beside a Wider UK Response
The NCSC announcement coincided with a UK and European Union response to Russian cyber and hybrid operations. The Foreign, Commonwealth and Development Office said the UK had sanctioned 24 individuals and entities connected to destructive cyber activity, criminal proxy networks and influence operations.The UK and EU also formally attributed an unsuccessful December 2025 attack against Poland’s energy grid to FSB Centre 16. According to the UK government, the operation could have interrupted electricity supplies to 500,000 people during winter had it succeeded.
That attribution gives the router advisory a sharper operational context. The concern is not simply that an intelligence service could collect configuration files; it is that access obtained through weak edge devices may support reconnaissance or operations against services whose disruption has physical and economic consequences.
NCSC Director of National Resilience Jonathon Ellison said Russian cyber actors persistently exploit vulnerabilities wherever they encounter them and urged organisations responsible for critical UK networks to implement the joint guidance immediately. The centre is also directing organisations towards Cyber Essentials certification and its updated Cyber Assessment Framework to measure security maturity and address wider weaknesses.
Certification alone will not locate every forgotten router. The immediate milestone for administrators is more concrete: inventory every internet-facing network device, establish which SNMP versions and management services are enabled, confirm whether firmware remains supported, and identify who can access the management plane.
Centre 16’s scanning is opportunistic, which means organisations do not need to be individually selected before they are exposed. If a vulnerable router answers on the public internet, that may be enough to place a critical network in the path of a Russian intelligence operation.
References
- Primary source: Computing UK
Published: 2026-07-13T10:00:14.739672
NCSC urges critical sectors to strengthen defences against FSB attacks
The National Cyber Security Centre (NCSC), alongside 18 agencies from 12 countries, published a new advisory warning of the risks to critical national infrastructure (CNI) ...www.computing.co.uk - Related coverage: ncsc.gov.uk
UK and Allies urge critical sectors to improve defences against Russian intelligence targeting
New advisory highlights Russian state cyber actors’ global exploitation of poorly configured routerswww.ncsc.gov.uk