A rare and unusually broad coalition of Western cyber agencies — the NSA, CISA, FBI and the UK’s NCSC, alongside partners from Australia, Canada, New Zealand and much of Europe — has issued a joint advisory warning that Russian state-sponsored hackers are actively targeting internet-facing routers around the world.

The advisory, “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting,” names Russia’s FSB Center 16 (also tracked as Berserk Bear, Energetic Bear, Dragonfly and Static Tundra) as the group behind a long-running campaign against poorly configured and unpatched networking devices. Compromised routers have given the attackers a foothold in critical sectors including energy, communications, finance, government and healthcare across the US and allied nations.

They’re not using zero-days — they don’t need to

The uncomfortable part is how ordinary the techniques are. “Nation-state attackers don’t always need a sophisticated zero-day to penetrate critical infrastructure,” noted Ensar Seker, CISO at SOCRadar — weak router configurations, default SNMP community strings, outdated firmware and exposed management interfaces give them everything they need. The agencies describe attackers scanning the internet for routers still using default or common SNMP strings, then quietly copying device configuration files to map out the network.

One of the flaws being exploited is CVE-2018-0171, a critical weakness in Cisco’s Smart Install feature — first disclosed back in 2018 and still being used to break in eight years later. That gap between “a patch exists” and “the patch is applied” is exactly what these groups rely on.

Why this matters even if you’re not “critical infrastructure”

It’s easy to read “energy grids and government networks” and assume it doesn’t apply to your business. But the targeting is opportunistic — the attackers scan broad ranges of internet addresses and take whatever is exposed. Routers, firewalls and switches are an ideal target: they sit on the perimeter, they’re always on, and they usually get far less security attention than servers or laptops. A separate operation in late 2025 cleaned up around 18,000 compromised small-office and home routers across 120 countries — many belonging to ordinary businesses and remote workers.

Locking your network’s front door

The advisory boils down to good router hygiene. For most Greater Manchester businesses, that means:

  • Disable Cisco Smart Install and any other legacy or unused management services.
  • Patch firmware promptly and replace routers and switches that are end-of-support.
  • Change every default — admin passwords and SNMP community strings — and move to SNMPv3.
  • Never expose device management to the internet — restrict it to the internal network or a VPN.
  • Use encrypted management only — SSH and HTTPS, never Telnet or plain HTTP.
  • Segment and monitor — treat edge devices as high-value assets, log them, and watch for unusual configuration changes.
  • Include network devices in your vulnerability scanning, not just servers and PCs.
  • Remote workers count too — home routers should be updated, have default passwords changed, and connect over a VPN.

Most of this sits squarely within Cyber Essentials, which already requires changing default credentials and closing off unnecessary internet-facing services.

At Foresight, we manage and monitor network infrastructure for organisations across Greater Manchester — from managed Cisco networks and secure connectivity to vulnerability management that scans firewalls, switches and routers (not just computers) and 24/7 monitoring for exactly the kind of quiet, config-level activity this advisory describes. If you’re not certain your edge devices are patched, hardened and out of reach from the internet, let’s take a look.

Sources: CISA advisory AA26-194A; BleepingComputer.