Improve router hygiene to protect against Russian state-sponsored targeting

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

10:15AM, 14 July 2026

TLP Rating: Clear

Improve router hygiene to protect against Russian state-sponsored targeting

Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks. This joint advisory provides additional tactics, techniques, and procedures (TTPs) to enable defenders to more fully understand and counter the threat.

The authoring and co-sealing agencies strongly urge device owners and network defenders to take mitigation and remediation actions against Russian government-sponsored exploitation of vulnerable routers.

Partners include:

  • United States National Security Agency (NSA)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • United States Federal Bureau of Investigation (FBI)
  • United States Department of Defense Cyber Crime Center (DC3)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre)
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • United Kingdom National Cyber Security Centre (NCSC-UK)
  • Czech Republic National Cyber and Information Security Agency (NÚKIB)
  • Danish Defence Intelligence Service (DDIS)
  • Estonian Foreign Intelligence Service (EFIS)
  • Estonian Information System Authority (RIA)
  • Finnish Defence Intelligence (FDI)
  • Finnish Security and Intelligence Service (SUPO)
  • French National Cybersecurity Agency (ANSSI)
  • Italian External Intelligence and Security Agency (AISE)
  • Italian Internal Intelligence and Security Agency (AISI)
  • The Military Counterintelligence Service of Poland (SKW)
  • Sweden National Cyber Security Centre (NCSC-SE)

What's happening

Systems affected

The Russian FSB Center 16 cyber actors primarily use scanning to identify poorly configured networking devices, primarily routers, for exploitation. The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication [T1595.001 External Link , T1595.002 External Link ]. These scans, run via proxies, consist of SNMP Set-Requests from a spoofed IP address [T1027 External Link ] containing Object Identifiers (OIDs) that instruct the SNMP agent on poorly configured networking devices to [T1569 External Link , T1602.001 External Link , T1090 External Link ]:

Copy its configuration to a file, often called “config.bkp” or “output.txt” [T1003 External Link , T1602.002 External Link ].

Transfer the file, typically using Trivial File Transfer Protocol (TFTP), to an actor-controlled leased virtual private server (VPS) or compromised FTP server [T1583.003 External Link , T1090 External Link , T1071 External Link , T1048 External Link ].

While SNMP scanning is the primary method the actors use to discover and exploit poorly configured networking devices, they occasionally exploit common vulnerabilities and exposures (CVEs) in Cisco devices, Cisco’s Smart Install (SMI) functionality, and web portals to manage network devices. The actors previously exploited at least the following CVEs [T1584.008 External Link , T1588.005 External Link , T1190 External Link , T1068 External Link ]:

Many of these TTPs overlap with activity by other malicious cyber actors, such as Salt Typhoon External Link . Even though this CSA focuses on Russian FSB Center 16 cyber activity, the mitigations below should detect and counter these and similar TTPs used by other actors.

What to look for

How to tell if you're at risk

Critical infrastructure sectors most at risk from the Russian Federal Security Service (FSB) Center 16 cyber actors’ targeting include:

  • Communications,
  • Defense Industrial Base,
  • Energy,
  • Financial Services,
  • Government Services and Facilities, especially organizations at the state and local level, and
  • Healthcare and Public Health.

What to do

Mitigation

The authoring agencies highly recommend network defenders implement the following mitigations to harden networks against this exploitation:

  • Disable Cisco Smart Install on all devices [D3-ACH External Link ].
  • Use SNMPv3 with “authPriv” configured to the most modern encryption standard that is supported by the device instead of SNMPv1 or SNMPv2 [D3-ACH External Link ].
  • Use strong, unique passwords for local accounts on network devices and configure credentials to be stored securely to prevent reuse of compromised passwords [D3-CH External Link ].
  • Monitor and restrict access to SNMP OIDs using a Management Information Base (MIB) allow list [D3-ACH External Link ]. Reference the vendor-specific MIB for the network devices and monitor OIDs for indications of reconnaissance or misconfiguration in logs or intrusion detection systems (IDS). IDS rules should be written for inbound SNMP Set-Requests that contain OIDs targeting sensitive device data [D3-PM External Link ].
  • Restrict management protocols [D3-NTF External Link ].
  • Update network device software and firmware images, especially to patch known vulnerabilities, and upgrade end-of-life devices to supported ones.

More information

Read the advisory [PDF, 815 KB]

If you require more information or further support, submit a report on our website:

Report an incident External Link  External Link .

If you need assistance using the tool, call us on 0800 114 115. Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.