Russia's FSB is hijacking weakly secured routers, 12 nations warn

The UK and 11 allied countries have issued a rare joint warning that cyber operators working for Russia's Federal Security Service (FSB) are quietly hijacking poorly secured routers at critical infrastructure organisations around the world.

In an advisory co-sealed by 18 agencies from 12 nations, the UK's National Cyber Security Centre (NCSC), part of GCHQ, named FSB Centre 16 as the culprit and urged operators of communications, defence, energy, financial services, government and healthcare networks to lock down their edge devices immediately.

What the FSB is doing

According to the NCSC, Centre 16 is scanning the open internet for network devices that still use default or weak Simple Network Management Protocol (SNMP) passwords and community strings, the shared secrets that let administrators query and manage routers remotely. Where those are weak, the actor simply logs in. It has also exploited well known flaws in Cisco equipment, including the Smart Install (SMI) feature and web portal bugs, to seize control of routers and pivot deeper into victim networks.

Who is behind it

Centre 16 is one of Russia's most seasoned cyber espionage units. It is tracked across the industry under a long list of names, including Berserk Bear, Energetic Bear, Crouching Yeti, Ghost Blizzard, Static Tundra and Dragonfly, and has spent more than a decade probing energy and industrial targets. This is the same class of long-term access operation IntelFusions documented in the abuse of aging routers as attack relays.

Sanctions and a grid attack

The advisory landed on the same day the UK government sanctioned 24 individuals and entities behind destructive cyber and hybrid operations, including proxy criminal networks linked to Russian intelligence. The UK and EU member states also formally attributed the December 2025 attack on Poland's energy grid to FSB Centre 16, an operation that, had it succeeded, could have cut power to an estimated 500,000 civilians.

What defenders should do

The guidance is concrete. Switch to SNMPv3 and disable legacy SNMP versions, set strong and unique passwords on every network device, and restrict access to management protocols with tight access controls. UK organisations are also pointed toward Cyber Essentials certification and the updated Cyber Assessment Framework. The push mirrors earlier allied warnings that Russian services keep probing for any weak point they can find.

Indicators

The full technical advisory is published on the NSA website at hxxps://media[.]defense[.]gov/2026/Jul/09/2003959498/-1/-1/1/CSA_IMPROVE_ROUTER_HYGIENE[.]PDF. Network defenders should review it for detection guidance and device hardening steps.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions