Russian FSB hackers are quietly hijacking routers at hospitals, power firms and banks, nine countries warn

A joint advisory from the US, UK, Australia and six allies names FSB Centre 16 as the group scanning the internet for routers with weak passwords and old Cisco flaws.

ThreatVectr Newsdesk· 4 min read
Full-frame edge-to-edge photoreal editorial shot of a dimly lit server rack in an industrial control room, focus on a network router with blinking amber LEDs, c
Share

Key points

  • Nine countries, led by the US NSA, FBI and CISA, published a joint advisory on Monday naming Russia's FSB Centre 16 as the group behind a long-running router hacking campaign.
  • The hackers scan the internet for routers using default or weak SNMP passwords, a network management protocol, then copy the device's configuration file to their own servers.
  • The same group has exploited a 2018 Cisco flaw, CVE-2018-0171, against critical infrastructure since November 2021, according to an FBI warning issued in August 2025.
  • Targeted sectors include energy, healthcare, financial services, defence, communications and state and local government.
  • In a separate December 2025 operation, the FBI cleaned malicious settings from 18,000 home and small-office routers in 120 countries linked to Russian military hackers APT28.

Russia's domestic spy agency has spent years quietly taking over the routers that move traffic around hospitals, power companies and banks. That is the blunt message from a joint advisory published on Monday by cyber agencies in the United States, United Kingdom, Australia, Canada, New Zealand, Estonia, Finland, France and Italy.

The advisory, first reported by BleepingComputer, blames a unit called Centre 16 inside Russia's Federal Security Service, the FSB. Security researchers have tracked the same group for years under names including Berserk Bear, Energetic Bear, Dragonfly and Static Tundra.

How are the hackers getting in?

They are looking for routers that were never locked down properly. Routers are the boxes that shuffle internet traffic in and out of a building. Many of them still ship with a default password, or one an administrator set years ago and forgot.

The Russian operators scan huge ranges of internet addresses for routers that respond to SNMP, short for Simple Network Management Protocol. SNMP is the language network gear uses to report its status. If a router accepts a common or default SNMP password (called a community string), the hackers can talk to it directly.

Once inside, they issue commands that copy the router's configuration file. That file is gold. It contains usernames, password hashes, network layouts and the addresses of other internal systems. The file is siphoned out using TFTP, the Trivial File Transfer Protocol, an old and simple file-moving tool, to servers the attackers control.

When SNMP does not get them in, they fall back on a known Cisco flaw. That flaw, CVE-2018-0171, sits in a Cisco feature called Smart Install, which was designed to make setting up new switches easier. An attacker who can reach the feature over the network can run their own code on the device. The FBI said in August that Centre 16 has been abusing this bug against critical infrastructure since November 2021. That is four years of active exploitation of a seven-year-old flaw.

Which industries are being hit?

The agencies list energy, communications, the defence industrial base, healthcare, financial services, defence, and state and local government. In plain terms: the systems ordinary people rely on to keep the lights on, the money moving and the hospitals running.

The UK's National Cyber Security Centre put it directly. Centre 16 "has been seen hunting for vulnerable routers by scanning the internet for devices that still use default or weak" SNMP credentials, the NCSC said, and has also gone after "well-known vulnerabilities relating to Cisco devices" and web portals.

What should network owners do now?

The advisory is unusually specific. Upgrade to SNMPv3, the modern version that actually encrypts its traffic. Turn off Cisco Smart Install if you are not using it. Set strong, unique passwords on every device. Block SNMP and TFTP at the edge of the network so the outside world cannot talk to them. Patch firmware. Replace kit the vendor no longer supports.

The warning lands days after a separate cleanup operation. In December 2025, the FBI, the US Department of Justice, the Polish government and several private companies dismantled a campaign called FrostArmada, run by a different Russian group, APT28, tied to military intelligence unit 26165. That crew had infected 18,000 MikroTik and TP-Link home and small-office routers across 120 countries, quietly redirecting Microsoft 365 login traffic to steal usernames, passwords and OAuth tokens (the digital keys apps use to stay signed in). A court order let the FBI reach into the routers and undo the damage.

For ordinary users of home routers: check that your router is not running firmware years out of date, change the admin password from whatever the box shipped with, and if your internet provider supplied the device, ask them when it was last updated.

© 2026 Threat Vectr