Russian Intelligence Exploits Poorly Configured Routers, NCSC Warns
UK's NCSC and international partners issue alert on Russian state-backed actors targeting critical infrastructure via vulnerable routers.

The UK's National Cyber Security Centre (NCSC), alongside international allies, has issued a joint advisory warning critical sectors about persistent targeting by Russian state-backed cyber actors. These actors are actively exploiting poorly configured routers globally to gain unauthorized access to sensitive networks, posing a significant threat to national security and critical infrastructure.
The advisory highlights a concerning trend where threat actors are scanning the internet for internet-facing devices, particularly routers, that have been left with default credentials or unpatched vulnerabilities. Once access is gained, these actors can conduct reconnaissance, exfiltrate sensitive data, or use the compromised devices as pivot points to access more secure internal networks. The NCSC emphasizes that this activity is part of a broader pattern of Russian intelligence services seeking to gain strategic advantage through cyber means.
While the advisory does not name specific threat groups, it attributes the activity to Russian state-backed actors, indicating a coordinated and resourced campaign. The focus on routers is strategic, as these devices often sit at the perimeter of networks and can provide a gateway into otherwise well-defended systems. The ease with which these devices can be compromised underscores the importance of basic cyber hygiene, even for organizations with sophisticated security postures.
The NCSC urges organizations across critical sectors—including government, defense, energy, and finance—to take immediate steps to improve their defenses. Key recommendations include ensuring all internet-facing devices are securely configured, regularly patched, and monitored for suspicious activity. Organizations are also advised to disable unnecessary services and implement strong, unique passwords for all administrative interfaces.
This alert serves as a stark reminder that even seemingly minor misconfigurations can have severe consequences when exploited by determined adversaries. The global nature of the exploitation means that organizations worldwide are at risk, regardless of their geographic location. The advisory encourages a proactive approach to security, moving beyond reactive incident response to robust preventative measures.
In response to this threat, the NCSC is working with industry partners to share threat intelligence and best practices. The goal is to bolster the collective resilience of critical infrastructure against state-sponsored cyber espionage and disruption. The advisory also stresses the importance of incident reporting to the NCSC, enabling a more comprehensive understanding of the threat landscape and facilitating timely responses.
While specific technical details of the exploitation methods are not fully disclosed in the public advisory, the emphasis on poorly configured routers suggests a reliance on common vulnerabilities such as weak authentication, default credentials, and unpatched firmware. This highlights a persistent challenge in cybersecurity: the gap between the availability of security best practices and their consistent implementation across diverse organizations and device types.
The NCSC and its allies are committed to providing ongoing guidance and support to help organizations defend against these evolving threats. The advisory concludes with a call to action for all critical infrastructure operators to review and enhance their security controls to mitigate the risk posed by Russian intelligence targeting.
This joint advisory from multiple international cybersecurity agencies provides further details on Russian state-sponsored actors targeting critical infrastructure. It specifically names FSB Center 16 (also known as Berserk Bear, Dragonfly, and others) as the group responsible for exploiting vulnerable routers using weak SNMP credentials and known Cisco vulnerabilities. The advisory also outlines specific mitigation measures, including upgrading to SNMPv3, disabling Cisco Smart Install, and enforcing strong passwords.
This joint advisory from 12 countries, including the US, UK, and EU, provides further details on the Russian state-sponsored threat actors' methods, identifying them as FSB Center 16 (also known as Berserk Bear, Dragonfly, and Static Tundra). The advisory highlights the exploitation of weak SNMP credentials and community strings, and notes that the group has also previously exploited CVE-2018-0171 in Cisco devices. Furthermore, the advisory coincides with the official attribution by the UK and EU of late 2025 cyber-attacks on Poland's energy infrastructure to FSB Centre 16, leading to a joint sanctions package against individuals and entities involved.