Russian state-backed hackers have spent more than a decade exploiting a stubborn weakness in critical infrastructure networks. Organizations are still leaving poorly configured and outdated routers exposed to the internet.
In a joint cybersecurity advisory, the NSA, CISA, FBI, and international partners warn that hackers linked to Center 16 of Russia’s Federal Security Service are continuing to target vulnerable networking equipment. Energy, healthcare, and government networks are among the sectors facing the highest risk.
One forgotten device can expose credentials and reveal how a much larger network fits together.
How the routers are being exposed
The hackers scan internet-facing networks for routers running poorly secured versions of Simple Network Management Protocol, better known as SNMP. Devices that accept common or default authentication strings can be instructed to copy their configuration files and send them to attacker-controlled servers.
Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, targeting devices across critical infrastructure sectors. These vulnerabilities can give hostile actors access to the systems that… pic.twitter.com/K5Po1v87Fu
— FBI Phoenix (@FBIPhoenix) July 14, 2026
Older Cisco equipment presents another route inside. The group has exploited known vulnerabilities and abused Cisco Smart Install, a feature that may remain enabled long after deployment. None of this requires some dazzling Hollywood hack when obsolete protocols and weak configurations are already exposed.
What attackers gain from a router
Router configuration files can contain credentials and show how a network is organized. Once copied, that information helps the hackers identify other systems and choose where to concentrate their efforts.

The campaign focuses on gathering access instead of causing immediate disruption. That quieter approach can keep a compromise hidden while giving the Russian government information it could use as its strategic priorities change. The router is only the first target, and the useful prize sits behind it.
How organizations can close the door
The agencies recommend replacing outdated routers, installing current firmware, and disabling Cisco Smart Install. Network defenders should also move from the obsolete SNMPv1 and SNMPv2 protocols to SNMPv3, which adds stronger authentication and encryption.
Organizations should use strong, unique passwords and restrict management protocols to trusted devices. Suspicious requests and unusual local-account logins also need monitoring.
These are basic security measures, but skipping them means state-backed hackers may never need their cleverest tools. Organizations should audit their internet-facing networking equipment now, starting with any router that no longer receives security updates.


