New advisory highlights Russian state cyber actors’ global exploitation of poorly configured routers
- The UK and international allies strongly urge action to better defend against the threat from Russian state intelligence actors
- Advice follows the opportunistic exploitation of inadequately configured routers and network devices by Centre 16 of Russia’s Federal Security Service (FSB)
- Warning comes as the UK sanctions Russian state and criminal networks for cyber and hybrid operations and calls out the FSB for a reckless attack on Poland’s energy grid.
Organisations in critical infrastructure sectors are being supported to better understand and defend against malicious activity, as the UK and international partners today call out techniques used by Russian Intelligence Services
Alongside 18 agencies from 12 countries, the National Cyber Security Centre (NCSC) – a part of GCHQ – has published a new advisory highlighting the methods of Federal Security Service (FSB) Centre 16 cyber actors, who are exploiting vulnerable routers and opportunistically targeting networks belonging to critical national infrastructure (CNI) globally.
Sectors most at risk from this global targeting, including communications, defence, energy, financial services, government and healthcare, are subsequently being urged to take action. This includes recommendations to use SNMPv3 and disable legacy SNMP versions, implement strong and unique passwords for network devices, and restrict access to management protocols through appropriate access controls.
Centre 16, also known as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra, has been seen hunting for vulnerable routers by scanning the internet for devices that still use default or weak Simple Network Management Protocol (SNMP) passwords and community strings.
Whilst the actor primarily uses SNMP scans to locate and compromise vulnerable routers, they have also exploited well-known vulnerabilities relating to Cisco devices, Cisco’s Smart Install (SMI) feature and web-portal flaws to gain control of network devices.
Jonathon Ellison, NCSC Director of National Resilience said:
The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter.
“Today’s joint advisory provides decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations and secure the UK’s critical infrastructure.
“I’d strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise.
Organisations are also encouraged to obtain Cyber Essentials certification, the government-backed scheme for all organisations to show they meet the recognised UK minimum standard for cyber security, and make use of the updated Cyber Assessment Framework, enabling them to assess their security maturity, address vulnerabilities and build their resilience against increasing threats.
The advisory has been published on the same day as the UK government has sanctioned 24 individuals and entities behind destructive cyber and hybrid operations including cyber criminals involved in proxy networks linked to the Russian Intelligence Services.
The UK together with EU member states has also today formally attributed the December 2025 attack on Poland’s energy grid to Russia’s FSB Centre 16 – an attack that if it had been successful could have caused 500,000 civilians to lose electricity.
The NCSC has co-sealed this new advisory alongside agencies from Australia, Canada, Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden and the United States.
It can be read on the NSA website: https://media.defense.gov/2026/Jul/09/2003959498/-1/-1/1/CSA_IMPROVE_ROUTER_HYGIENE.PDF
Facts Only
* The UK and international allies urge action to defend against Russian state intelligence actors.
* Advice follows the exploitation of inadequately configured routers by FSB Centre 16.
* FSB Centre 16 exploited vulnerable routers and opportunistically targeted global networks.
* Sectors most at risk include communications, defense, energy, financial services, government, and healthcare.
* Recommendations include using SNMPv3 and disabling legacy SNMP versions.
* Organizations must implement strong and unique passwords for network devices.
* Access to management protocols should be restricted via appropriate access controls.
* Centre 16 scanned the internet for routers using default or weak SNMP passwords and community strings.
* The actors exploited vulnerabilities in Cisco devices, Smart Install (SMI) features, and web-portal flaws.
* The NCSC published an advisory with 18 agencies from 12 countries.
* The UK sanctioned 24 individuals and entities linked to cyber and hybrid operations.
* The UK and EU attributed a December 2025 attack on Poland’s energy grid to Russia’s FSB Centre 16.
Executive Summary
International allies and the UK are urging critical infrastructure sectors to enhance defenses against Russian state intelligence activities. This advisory stems from the exploitation of poorly configured routers by Russian state cyber actors, specifically Centre 16 of Russia’s Federal Security Service (FSB). The threat involves the opportunistic targeting of networks belonging to critical national infrastructure (CNI) globally.
Organizations in high-risk sectors, including communications, defense, energy, financial services, government, and healthcare, are being advised to implement specific security measures. Recommendations include using SNMPv3, disabling legacy SNMP versions, setting strong and unique passwords for network devices, and restricting management protocol access with appropriate controls. The NCSC and its international partners have highlighted the methods employed by these actors, which involve scanning for vulnerable routers using default or weak SNMP credentials and exploiting flaws in Cisco devices and web portals. Furthermore, organizations are encouraged to pursue Cyber Essentials certification and utilize the Cyber Assessment Framework to improve overall security maturity. This advisory was released concurrently with UK sanctions against Russian entities and an attribution of a destructive attack on Poland’s energy grid to Russia's FSB Centre 16.
Full Take
The narrative presented juxtaposes state-sponsored technical exploitation with calls for decentralized, operational hygiene across diverse global sectors. The underlying pattern involves leveraging universally known systemic weaknesses—weak default configurations and protocol misconfigurations—as a scalable tool for geopolitical disruption. The call to action shifts the burden from purely technical remediation (patching routers) to organizational resilience (certification, framework adoption). This creates a layered dynamic: external state actors deploy targeted, sophisticated attacks, while the response emphasizes hardening the baseline infrastructure against generalized, known vulnerabilities.
The pattern of attribution—linking specific disruptive events to a named state actor and an operational cell—serves to establish clear moral and legal fault lines, moving the threat from abstract cyber risk to concrete geopolitical aggression. The implication for human agency is twofold: technical competence must be mandated across critical sectors (through standards like Cyber Essentials), but this technical defense alone is insufficient without acknowledging the systemic vector of state-level resource application. This suggests that cognitive sovereignty requires not only technical self-defense against exploits but also a shared understanding among allies about the strategic calculus behind these attacks, ensuring that security measures are driven by recognized threat intent rather than purely reactive vulnerability management.
Bridge questions: What structural mechanisms exist to ensure consistent, high-standard implementation of baseline network hygiene across disparate national regulatory environments? How does the reliance on specific certification schemes risk creating new, stratified inequalities between highly secure and less secure entities within critical infrastructure? If the primary threat is coordinated state action, what cognitive frameworks are necessary for public institutions to prioritize defense against state objectives over immediate operational concerns?
Sentinel — Human
The text reads like a direct report synthesizing an official cybersecurity advisory with related geopolitical and legal actions taken by allied nations, strongly suggesting human journalistic or governmental drafting.
