A broad international coalition of cyber security agencies — the NSA, CISA and FBI in the US, the UK’s NCSC, and 15 partner agencies across Australia, Canada, New Zealand and Europe — has issued a joint advisory warning that Russian state-sponsored hackers are actively targeting poorly configured, internet-facing routers around the world.

The advisory attributes the campaign to the Russian Federal Security Service (FSB) Center 16 — a group also tracked as Berserk Bear, Energetic Bear, Dragonfly and Static Tundra. It follows a separate law-enforcement operation that disrupted a Russian military-intelligence (GRU / APT28) network which had infected roughly 18,000 small-office and home routers across 120 countries.

How the attack works

The actors scan the internet for routers still using default or weak SNMP credentials, then quietly copy the device’s configuration files and exfiltrate them to their own servers. A central weakness being exploited is CVE-2018-0171, a critical Cisco Smart Install flaw rated 9.8 out of 10 — a vulnerability that is over seven years old and still fixable with a patch and a configuration change. In the related SOHO-router campaign, attackers altered DNS settings on MikroTik and TP-Link devices to intercept traffic and steal Microsoft 365 logins.

Why routers are such a prized target

Edge devices sit right at the boundary of your network, yet they routinely get far less attention than servers and laptops. They’re often installed once and forgotten, left on default settings, exposed to the internet for remote management, and rarely patched. A compromised router gives an attacker a quiet, persistent foothold — a place to watch traffic, harvest credentials and pivot deeper into the network, frequently without triggering the tools watching your PCs and servers.

This isn’t only a “critical infrastructure” problem

The named victims span defence, communications, energy, financial services, government and healthcare — but smaller organisations should not tune this out. Attackers scan the whole internet opportunistically, small firms are part of the supply chain into larger ones, and the parallel campaign deliberately went after ordinary office and home-worker routers. If you have a router with a public IP — and you do — you are in scope.

What to do now

  • Disable Cisco Smart Install and any other unused legacy management services (Telnet, HTTP admin, unnecessary SNMP).
  • Patch firmware on every router, switch and firewall — and retire any end-of-support kit that no longer receives updates.
  • Kill default and weak credentials. Use strong, unique admin passwords, and enable MFA on management interfaces where supported.
  • Take management off the internet. Never expose device admin to the public internet; restrict it to a trusted network or VPN.
  • Lock down SNMP. Remove default community strings, move to SNMPv3, or disable SNMP entirely if it isn’t needed.
  • Monitor your edge. Watch for unexpected configuration changes, unusual TFTP transfers and unfamiliar logins on network devices.
  • Include network devices in your patching and vulnerability scanning — not just servers and endpoints.

Most of this is basic hygiene — which is exactly why a seven-year-old flaw is still working for attackers. At Foresight, securing the network edge is part of the day job: we design and manage business networks, scan routers, switches and firewalls as part of our vulnerability management service, test defences through penetration testing, and monitor for suspicious activity around the clock. It’s also core to Cyber Essentials, which requires default credentials to be changed and management interfaces kept off the internet.

If you’re not certain your routers and firewalls are patched, hardened and off the public internet, get in touch and we’ll take a look.

Sources: BleepingComputer; CISA advisory AA26-194A.