
A coalition of 21 cybersecurity and intelligence agencies has warned that Russian state-sponsored hackers continue to compromise internet-facing routers by exploiting weak configurations and known vulnerabilities, enabling them to steal device configurations and gain insight into victims' networks.
The advisory urges organizations, particularly critical infrastructure operators, to strengthen router security to prevent further intrusions.
The joint cybersecurity advisory was issued by the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), and cybersecurity authorities from Australia, Canada, the UK, New Zealand, France, Italy, Sweden, Poland, Estonia, Finland, the Czech Republic, and Denmark.
FSB Center 16 is tracked by various cybersecurity vendors under names including Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard, Crouching Yeti, and Static Tundra. According to the advisory, the group continues to opportunistically target poorly configured networking devices worldwide, compromising organizations across multiple critical infrastructure sectors.
The agencies identify communications, defense industrial base, energy, financial services, government, and healthcare organizations as being at the highest risk. While the campaign focuses on routers, the attackers are primarily interested in the sensitive information stored on them, such as network configurations and credentials that can facilitate follow-on compromises.
The advisory says the attackers begin by scanning internet IP ranges for devices running Simple Network Management Protocol (SNMP) that accept default or commonly used community strings. Using spoofed SNMP Set-Requests routed through proxies, they abuse Cisco object identifiers (OIDs) to instruct vulnerable routers to export their configuration files, often named config.bkp or output.txt, and transfer them via Trivial File Transfer Protocol (TFTP) to attacker-controlled virtual private servers or compromised FTP servers. Those configuration files can contain credentials and other network information useful for expanding access inside victim environments.
Although SNMP abuse remains the group's primary technique, the agencies note that the actors have also exploited Cisco Smart Install and known Cisco vulnerabilities, including CVE-2018-0171 and the legacy CVE-2008-4128 affecting end-of-life devices. The bulletin also notes that several of these techniques overlap with activity attributed to other threat actors, including Salt Typhoon, making the recommended mitigations broadly applicable.

To defend against these attacks, the agencies recommend disabling Cisco Smart Install, replacing SNMPv1 and SNMPv2 with SNMPv3 configured for authentication and encryption, changing default community strings, and using strong, unique passwords. They also advise monitoring for suspicious SNMP Set-Requests targeting sensitive OIDs, restricting management protocols via access control lists, blocking external access to SNMP, TFTP, and Smart Install ports where possible, and keeping networking devices up to date with supported firmware and security patches.







Leave a Reply