Russia's FSB Is Quietly Hijacking Old Routers Across Critical Infrastructure, Allies Warn
A rare joint advisory from thirteen agencies details how FSB Center 16 hackers, tracked as Berserk Bear and Static Tundra, have spent over a decade pulling configs from misconfigured network gear.

Key points
- Thirteen intelligence and cybersecurity agencies from the US, UK, Canada, Australia, New Zealand and seven European countries published a joint advisory on the activity in 2025.
- The hackers work for Center 16 of Russia's Federal Security Service (FSB) and have been running this campaign for more than ten years.
- The group is tracked as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra across different vendors.
- Targets include energy, communications, defense, financial services, healthcare and state and local government networks.
- The main way in is old, weakly configured network management software on routers, not fancy zero-days.
A coalition of Western spy agencies has gone public with fresh detail on a long-running Russian hacking campaign that quietly siphons the guts of routers out of critical infrastructure networks.
The joint advisory was published by the US National Security Agency, CISA, the FBI and the Pentagon's Cyber Crime Center, alongside the UK's NCSC, Canada's Cyber Centre, Australia's ACSC and partner services from New Zealand, Czechia, Denmark, Estonia, Finland, France, Italy, Poland and Sweden. That is an unusually broad co-sealing list.
The hackers sit inside Center 16 of Russia's Federal Security Service, the FSB. In private-sector reporting the same cluster is called Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and, more recently, Static Tundra. The mapping is not always one to one, so treat overlaps with medium confidence.
How are the hackers actually getting in?
Mostly by scanning the internet for routers that were never locked down properly. The primary technique is abuse of SNMP, short for Simple Network Management Protocol, which is the language network administrators use to read and change settings on routers and switches from a distance.
On older gear, SNMP often ships with a default password known as a "community string", something as guessable as "public" or "private". The FSB operators sweep the internet looking for devices that still accept those defaults.
Once they find one, they send it a rigged instruction to copy its own configuration file to a server the hackers control. The file is usually named something bland like "config.bkp" or "output.txt" and moves out over TFTP, a very old file transfer protocol that runs on UDP port 69.
That config file is a goldmine. It contains network layout, account names, password hashes and details of how the target's internal network is stitched together.
The scans run through proxies with spoofed source addresses, which makes tracking the origin harder. Occasionally the group falls back on known bugs, including CVE-2018-0171, a flaw in Cisco's Smart Install feature that lets an unauthenticated attacker run commands on the device, and the ancient CVE-2008-4128.
Who is being targeted?
The advisory names communications firms, the defense industrial base, energy companies, financial services, healthcare and government at the state and local level. Access to a utility's router does not just give the FSB visibility. It gives them a foothold to pivot deeper if and when Moscow decides to.
The agencies are careful to distinguish capability from intent. What has been observed so far is quiet collection: pulling configurations, mapping networks, keeping the option open.
The joint advisory notes that many of these techniques overlap with Salt Typhoon, the Chinese group that ransacked US telecom carriers in 2024. Old routers with weak management protocols are apparently everyone's favourite door.
What should defenders do right now?
CISA's guidance is unglamorous but effective. Turn off Cisco Smart Install. Kill SNMP version 1 and version 2, which send community strings in clear text, and move to SNMP version 3 with authentication and encryption switched on.
Block TFTP at the edge unless there is a genuine reason to allow it. Put management interfaces on a separate, out-of-band network. Watch for outbound file transfers from routers to addresses that make no sense.
For ordinary customers of the affected sectors, there is nothing to click or patch on your end. But if your electricity provider, hospital or bank sends a notice about a network review in the coming weeks, this is likely why.



