Cybersecurity agencies from the United States and eight other countries have issued a joint warning that Russian state hackers are targeting vulnerable and poorly configured routers to infiltrate critical infrastructure networks.
The joint advisory, co-authored by the NSA, FBI, and CISA, along with 15 other agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France, and Italy, attributes the attacks to hackers from the Russian Federal Security Service (FSB) Center 16.
This hacking group (tracked as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra) scans internet-connected IP address ranges for routers accepting default or common SNMP authentication strings, then issues commands using spoofed IP addresses to copy device configuration files and exfiltrate them via the Trivial File Transfer Protocol to actor-controlled servers.
In August 2025, the FBI also warned that the same group has been targeting critical infrastructure using a critical vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software (tracked as CVE-2018-0171) since November 2021.
The sectors most at risk from these attacks include energy, communications, defense industrial base, healthcare, financial services, defense, and state and local government services.










