Cybersecurity agencies from the US and eight partner countries have issued a joint advisory warning that Russian state-backed hackers are targeting vulnerable routers to gain access to critical infrastructure networks.
The advisory, published by the NSA, FBI, CISA, and 15 other agencies, attributes the activity to the Russian Federal Security Service (FSB) Center 16.
The group, also known as Berserk Bear, Energetic Bear, Dragonfly, and Ghost Blizzard, scans internet-connected routers for weak or default SNMP community strings. Once a vulnerable device is found, the attackers use spoofed IP addresses to copy router configuration files and transfer them to attacker-controlled servers using the Trivial File Transfer Protocol (TFTP).
The agencies also warned that the group has exploited the Cisco Smart Install vulnerability, tracked as CVE-2018-0171, since late 2021 to compromise Cisco IOS and IOS XE devices. Main targets are organizations in the energy, communications, healthcare, financial services, defense, and government sectors.
To reduce the risk of compromise, network administrators are advised to upgrade to SNMPv3, disable Cisco Smart Install, use strong unique passwords, block SNMP and TFTP traffic at network boundaries, keep firmware updated, and replace unsupported networking equipment.
In April 2026, a major operation disrupted FrostArmada, a separate campaign linked to the Russian military intelligence group tracked as APT28, Fancy Bear, or Forrest Blizzard. Attackers compromised more than 18,000 MikroTik and TP-Link SOHO routers across 120 countries by changing DNS settings. The modified routers redirected Microsoft 365 authentication traffic to attacker-controlled servers, allowing the theft of login credentials and OAuth tokens.