NSA, CISA, the FBI, and allied cybersecurity agencies have warned that Russian intelligence-linked hackers are continuing to compromise poorly configured routers and other network devices used across critical infrastructure sectors.
The July 13 advisory release, led by the National Security Agency and co-sealed by 18 agencies in the United States, Europe, Canada, Australia, and New Zealand, focuses on activity attributed to Russia’s Federal Security Service Center 16. The same activity is tracked in the security industry under names including Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard, and Static Tundra.
The warning is not about an exotic zero-day. It is about basic network management mistakes that give a capable state actor an easy path into the edge of a network: exposed SNMP, default or weak community strings, old Cisco Smart Install exposure, vulnerable web management portals, end-of-life devices, and router configurations that leak credentials once copied off the device.
What the Agencies Say Is Happening
The joint advisory, Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting, says FSB Center 16 actors scan internet ranges for routers and other networking devices with active Simple Network Management Protocol agents. The actors look for devices that still accept common or default SNMP community strings, then use SNMP Set-Requests containing object identifiers that can instruct a device to copy out its configuration.
Those configuration files may be saved under names such as config.bkp or output.txt, then transferred by Trivial File Transfer Protocol to infrastructure controlled by the attackers. That matters because router configurations often contain the details defenders most want to keep private: local accounts, management-plane settings, network topology, ACLs, VPN or routing information, and sometimes weakly protected credentials.
The advisory names two older Cisco-related vulnerability paths: CVE-2018-0171, a Cisco Smart Install flaw, and CVE-2008-4128, which affects end-of-life Cisco devices. It also notes that some of the same tradecraft overlaps with other state-linked activity, including techniques associated with Salt Typhoon, which makes the hardening steps useful beyond the specific Russian campaign.
Who Should Treat This as Urgent
The agencies call out communications, defense industrial base, energy, financial services, government services and facilities, and healthcare as sectors most at risk. State and local government networks get specific attention because older network gear and constrained IT budgets often leave exposed management services in place longer than anyone intended.
For enterprise teams, the practical lesson is that routers and switches should be treated as high-value systems, not background plumbing. A compromised edge router can help an attacker map internal networks, steal reusable credentials, blend traffic through trusted paths, or persist below the level where endpoint tools usually see activity.
The Router Checklist That Matters First
The fastest triage step is to identify internet-facing network devices and management services before arguing about attribution. Organizations should inventory routers, firewalls, switches, VPN concentrators, and other edge devices, then confirm whether SNMP, TFTP, Smart Install, web management, SSH, Telnet, or vendor-specific management interfaces are reachable from outside approved management networks.
For SNMP, the agencies recommend moving to SNMPv3 with authPriv, the mode that provides both authentication and encryption where supported. NSA’s companion guidance, Reducing the Risk of Simple Network Management Protocol Abuse, says SNMPv1 and SNMPv2 rely on community strings that can be exposed through traffic capture and should no longer be used on current devices. If older gear cannot support SNMPv3 with strong authentication and encryption, that is a replacement signal rather than a reason to keep weak management in place indefinitely.
SNMP access should also be narrowed with ACLs and management-network controls. Polling systems should reach only the devices they need. Write access should be separated from read access. Device views should allow only the MIB objects required for monitoring or normal administration, instead of leaving broad object trees available to any credential that happens to work.
For Cisco environments, the advisory is blunt about Smart Install: disable it on all devices unless there is a documented operational requirement. Edge firewalls and devices should deny unnecessary external access to UDP port 69 for TFTP, TCP port 4786 for Smart Install, UDP ports 161 and 162 for SNMP, and TCP or UDP ports 10161 and 10162 for SNMPv3. Where blocking is not feasible, access should be restricted to trusted management hosts and monitored closely.
What to Hunt For
Defenders should look for inbound SNMP Set-Requests that target sensitive OIDs, especially Cisco configuration-copy objects such as 1.3.6.1.4.1.9.9.96.1.1 and server-address objects under that tree. Unexplained TFTP or FTP transfers from network devices deserve the same attention as suspicious outbound traffic from a server.
The advisory also recommends monitoring for local account logins, credentials that do not match naming standards, and configuration files that still store passwords using weak Cisco types. Type 0 stores passwords in plaintext, while Type 7 is reversible and should not be treated as meaningful protection. The agencies recommend Type 8 for user credentials on Cisco devices where supported.
Teams should not stop at logs from firewalls or endpoint tools. Network devices need their own configuration review, firmware review, authentication review, and management-plane audit. For organizations that rely on managed service providers, the right question is not only whether devices are patched, but who can access management interfaces, how SNMP is configured, whether local break-glass accounts are monitored, and whether configuration backups are encrypted and access-controlled.
Why This Warning Is Different From Routine Router Advice
Router hygiene has been a recurring government message for years, but the July advisory packages the problem as an active critical-infrastructure risk rather than a generic best-practices reminder. The agencies are describing a durable campaign that turns old administration habits into intelligence collection: find exposed SNMP, trigger a config copy, pull the file to attacker infrastructure, and reuse whatever the configuration reveals.
That attack path is uncomfortable because it is cheap. It does not require burning a rare exploit when a forgotten community string or end-of-life router can expose the same strategic foothold. It also explains why basic controls are not cosmetic. Blocking TFTP at the edge, disabling Smart Install, replacing unsupported routers, moving to SNMPv3, and restricting management traffic can remove the exact pathways described in the advisory.
U.S. federal, state, local, tribal, and territorial governments and critical infrastructure operators can also use CISA’s no-cost Cyber Hygiene services to help identify internet-facing exposure. Defense industrial base organizations can consider NSA’s DIB Cybersecurity Services. For everyone else, the same first move applies: build a clean inventory of network edge devices and prove which management services are reachable before the next advisory turns into an incident report.