Russian Spies Are Breaking Into the World's Routers. The Password Is Often Still 'Admin'.
A joint advisory from the US, UK, and a dozen allied nations warns that Russian FSB hackers have spent years walking into critical infrastructure networks through the digital equivalent of an unlocked front door.

Key points
- Russia's FSB Centre 16 has been breaking into routers and networking equipment belonging to critical infrastructure organisations across multiple countries, according to a joint advisory published this week by cybersecurity agencies from the US, UK, and twelve allied nations.
- The UK and the EU jointly imposed sanctions on 24 Russian individuals and organisations on the same day, marking the first time the two have acted together on this kind of measure.
- UK and EU officials formally blamed FSB Centre 16 for a January attack on Poland's electricity grid that they say could have cut power to 500,000 people in winter.
- The total number of individuals and entities the UK has sanctioned over Russia's war in Ukraine now stands at 3,400.
- Security experts say the techniques used have been publicly known for over a decade, and the attacks keep working because too many organisations ignore the basics.
Russia's Federal Security Bureau, the FSB, runs a hacking unit known as Centre 16. Security researchers also track this group under several names: Energetic Bear, Crouching Yeti, and Static Tundra, among others. Their target list reads like a directory of things that keep modern life running: power grids, hospitals, banks, defence contractors, and government agencies.
The group's favourite way in is almost embarrassingly simple. They scan the internet for networking devices, such as routers, that still use the password they shipped with from the factory. Then they log in.
Once inside a device, they instruct it to send its configuration file, a document that maps out how the whole network is built, to a server the hackers control. That blueprint lets them plan deeper intrusions.
How did the hackers get in?
The primary method, according to the joint advisory, is exploiting a networking tool called SNMP, which stands for Simple Network Management Protocol. It is software built into most routers that lets administrators monitor and adjust network settings remotely. The hackers scan for devices where SNMP still accepts the default or easily guessed password, then use that access to pull the network's configuration data. The advisory also notes they have used known security flaws in Cisco Systems networking hardware and abused a Cisco feature called Smart Install, which is designed to help set up new devices remotely but can be turned against the owner if left switched on unnecessarily.
The fix for all of this is not exotic. Change default passwords. Disable features you are not using. Upgrade SNMP to its latest version, which includes proper encryption.
John Strand, owner of Black Hills Information Security, put it bluntly: attackers are winning "because too many organisations still struggle with the fundamentals of computer security."
The advisory arrived alongside news, first covered in detail by Dark Reading, that the UK and EU jointly sanctioned 24 Russian nationals and organisations for cyberattacks, election interference, and disinformation campaigns across Europe. Officials singled out an attack on Poland's energy grid in January as "a reckless attack" that could have plunged half a million Poles into darkness mid-winter.
For ordinary people, the direct risk is to services they rely on. A hacked hospital network can delay patient care. A compromised power-grid operator can mean outages. Customers of any organisation in the sectors named should watch for unusual service disruptions and be alert to phishing emails, where criminals send fake messages to trick staff into handing over passwords, since account credentials are often the next thing attackers go after once they are inside a network.



