WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with National Security Agency (NSA), Federal Bureau of Investigation (FBI), Defense Cyber Crime Center (DC3), and international partners, released a joint cybersecurity advisory, Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting. The advisory warns that Russian cyber threat actors are targeting vulnerable networking devices in critical infrastructure sectors globally, especially communications, defense industrial base, energy, financial services, government services and facilities, and healthcare and public health.
Led by NSA, the advisory highlights how threat actors primarily leverage poorly configured routers but are also known to exploit common vulnerabilities and exposures (CVEs) to gain unauthorized access, exfiltrate sensitive configurations, and facilitate malicious activity. To defend against these threats, the advisory outlines actionable mitigation steps, such as:
- Restrict access to management interfaces and firewall devices
- Adopt stronger authentication and data encryption protocols
- Secure weak and vulnerable internet-facing systems
- Monitor for suspicious activity
“CISA continues to work with domestic and global partners to highlight the ongoing threat of nation-state actors targeting vulnerable network devices,” said Acting Executive Assistant Director for Cybersecurity Chris Butera. “The advisory provides a timely and urgent reminder of actions for critical infrastructure owners and operators to counter Russian state-sponsored activity. CISA urges network defenders to implement mitigation and remediation measures to reduce your attack surface and risk of exploitation.”
"Russian state-sponsored cyber actors have spent years quietly extracting configuration data from poorly configured routers across critical infrastructure," said Assistant Director Brett Leatherman of the FBI's Cyber Division. "This advisory gives network defenders the visibility to spot this activity and the mitigations to counter it. The FBI will work with our partners to continue to expose this tradecraft and hold these actors accountable."
The advisory builds upon the FBI’s August 2025 public service announcement, Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure, which details malicious cyber activity attributed to the Russian Federal Security Service (FSB) Center 16.
Alongside the NSA, CISA, FBI, and DC3, additional co-sealing partners include:
- Australian Signals Directorate’s Australian Cyber Security Centre
- Communications Security Establishment Canada’s Canadian Centre for Cyber Security
- New Zealand National Cyber Security Centre
- United Kingdom National Cyber Security Centre
- Czech Republic National Cyber and Information Security Agency
- Danish Defence Intelligence Service
- Estonian Foreign Intelligence Service
- Estonian Information System Authority
- Finnish Defence Intelligence
- Finnish Security and Intelligence Service
- French National Cybersecurity Agency
- Italian External Intelligence and Security Agency
- Italian Internal Intelligence and Security Agency
- The Military Counterintelligence Service of Poland
- Sweden National Cyber Security Centre
For more information, please visit Russia Threat Overview and Advisories.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to manage, uncover, and reduce risk to our digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.
Facts Only
* CISA collaborated with NSA, FBI, DC3, and international partners to release an advisory.
* The advisory is titled "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting."
* Russian cyber threat actors target vulnerable networking devices in critical infrastructure sectors globally.
* Targeted sectors include communications, the defense industrial base, energy, financial services, government services/facilities, and healthcare/public health.
* Threat actors primarily leverage poorly configured routers and exploit Common Vulnerabilities and Exposures (CVEs).
* Recommended mitigation steps include restricting access to management interfaces and firewalls, adopting stronger authentication/encryption, securing internet-facing systems, and monitoring for suspicious activity.
* CISA stated that the advisory serves as an urgent reminder for critical infrastructure owners and operators to counter Russian state-sponsored activity.
* The FBI Assistant Director noted actors have spent years extracting configuration data from poorly configured routers across critical infrastructure.
* The advisory builds upon the FBI’s August 2025 public service announcement regarding cyber activity attributed to the FSB Center 16.
* Co-sealing partners include bodies from Australia, Canada, New Zealand, the UK, Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden.
Executive Summary
The Cybersecurity and Infrastructure Security Agency (CISA), working with the National Security Agency (NSA), FBI, Defense Cyber Crime Center (DC3), and international partners, issued an advisory titled "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting." This advisory warns that Russian cyber threat actors are targeting vulnerable networking devices within critical infrastructure sectors globally, including communications, energy, government services, financial services, defense industrial base, and healthcare. The advisory indicates that threat actors frequently exploit poorly configured routers and known vulnerabilities (CVEs) to gain access and exfiltrate data. To defend against this activity, the advisory recommends implementing mitigation steps such as restricting access to management interfaces, adopting stronger authentication and encryption protocols, securing internet-facing systems, and monitoring for suspicious activity.
The advisory highlights the long-term pattern of state-sponsored actors extracting configuration data from poorly configured routers across critical infrastructure. The FBI noted that this activity has been ongoing, referencing a public service announcement from August 2025 regarding cyber activity attributed to the Russian Federal Security Service (FSB) Center 16. CISA stresses that network defenders must implement remediation measures to reduce their attack surface against these threats.
The advisory is supported by collaboration among several international partners, including entities from Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden.
Full Take
The narrative frames a specific technical vulnerability—insecure network device configuration—as the primary vector for sophisticated nation-state targeting of global critical infrastructure. The persistence suggested by the FBI's comment regarding long-term data extraction from routers introduces an element of systemic negligence as well as intentional exploitation, suggesting that operational security failures are being weaponized by state actors. The inclusion of a wide array of international partners suggests that this threat is recognized as a shared, transnational risk requiring coordinated defense, moving the issue beyond a purely domestic security concern into the realm of geopolitical vulnerability management.
The pattern observed is one where technical reality (poor configuration) intersects with strategic capability (state-sponsored targeting) to create urgency for immediate defensive action. The call to action focuses heavily on procedural hygiene—router hardening and access control—which treats the exploit vector as a malleable, manageable flaw rather than an intractable adversary. A critical point of analysis is the implicit weighting between technical remediation steps and the broader geopolitical context mentioned through numerous international allies; this structure suggests that effective defense requires simultaneous attention to both granular system security and high-level threat awareness shared across allied structures.
The question arises whether focusing mitigation efforts primarily on router hygiene addresses the broader systemic issue of state sponsorship, or if it serves as a necessary, yet incomplete, tactical response against an adversary with vast resources. What mechanisms exist to ensure that global coordination translates into consistent operational security standards across diverse national infrastructures?
Sentinel — Human
This appears to be an accurate recounting of a joint cybersecurity advisory released by federal agencies, characterized by formal attribution and structured information sharing.
