UK and Allies Warn of Russian Hackers Targeting Global Routers

The United Kingdom, in collaboration with international cybersecurity partners, has issued a critical alert regarding Russian state-sponsored hackers actively targeting vulnerable routers and network devices worldwide. This advisory highlights the activities of Center 16, a cyber unit associated with Russia’s Federal Security Service (FSB), which has been conducting extensive scans to identify and exploit poorly secured infrastructure.

The National Cyber Security Centre (NCSC), part of the UK’s Government Communications Headquarters (GCHQ), released this warning alongside agencies from the United States, Australia, Canada, Poland, France, Finland, Sweden, and New Zealand. These agencies have observed that Center 16 is opportunistically exploiting weak configurations, outdated protocols, and known vulnerabilities in network equipment.

Center 16, also known by aliases such as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra, has a history of targeting critical national infrastructure and organizations across various sectors, including communications, defense, energy, financial services, healthcare, and government.

The joint advisory indicates that the group searches for internet-exposed routers using default, weak, or reused Simple Network Management Protocol (SNMP) credentials. SNMP is commonly used by administrators to monitor and manage network devices; however, older versions can expose community strings and other sensitive information if not properly secured. Russian operators have primarily relied on SNMP scanning to identify accessible routers and gain control over vulnerable devices.

In addition to SNMP exploitation, Center 16 has leveraged known Cisco vulnerabilities, weaknesses associated with Cisco Smart Install, and flaws in web-based management portals. Once attackers compromise a router, they can monitor traffic, redirect communications, steal credentials, establish persistence, or move deeper into a target network.

The NCSC has urged organizations to enhance router security and minimize unnecessary internet exposure. Recommendations include replacing legacy SNMP versions with SNMPv3, which offers stronger authentication and encryption, disabling SNMP where it is not needed, using unique, complex passwords for each network device, and restricting access to administrative protocols through network segmentation, access control lists, and trusted management networks.

Jonathon Ellison, NCSC Director of National Resilience, emphasized that Russian cyber actors persistently seek to exploit any weaknesses they discover. He encouraged organizations, particularly operators of UK critical networks, to adopt the recommended mitigations promptly to reduce the risk of compromise.

This warning coincides with the UK’s imposition of sanctions on individuals and entities linked to destructive Russian cyber and hybrid operations, including criminal proxy networks associated with Russian intelligence services. Additionally, the UK and EU member states have formally attributed the December cyberattack against Poland’s energy grid to FSB Center 16, noting that the incident could have disrupted electricity supplies for civilians if it had succeeded.

Organizations are further encouraged to obtain Cyber Essentials certification and utilize the updated Cyber Assessment Framework to evaluate cybersecurity measures.

Given the persistent and evolving nature of cyber threats from state-sponsored actors like Center 16, it is imperative for organizations to proactively strengthen their cybersecurity defenses. Implementing the recommended measures can significantly reduce the risk of compromise and ensure the resilience of critical infrastructure against such sophisticated attacks.