On July 13, 2026, the National Security Agency (NSA), CISA, the FBI, and partner agencies from Australia, Canada, New Zealand, and the UK released a joint cybersecurity advisory. The document warns that Russian state-sponsored cyber actors, specifically the FSB Center 16, are actively exploiting poorly configured and unpatched network routers. The threat actor group, also tracked as Berserk Bear and Static Tundra, is targeting critical infrastructure sectors globally. The advisory provides tactical guidance for network defenders to harden their devices and improve router hygiene to defend against these ongoing campaigns.
The advisory details a persistent and opportunistic campaign by FSB Center 16 to gain access to networks by compromising edge devices. The actors are not targeting specific vulnerabilities as much as they are exploiting common misconfigurations and a lack of basic security hygiene.
The actor's methodology is straightforward but effective, relying on the large attack surface presented by internet-facing network equipment.
public, private). Successful access can provide them with the device's full running configuration, including credentials, VPN settings, and network topology information.T1595.001 - Active Scanning: Scanning IP Blocks: The actors use SNMP scans to identify potential targets.T1210 - Exploitation of Remote Services: Gaining access via weak SNMP configurations is a form of remote service exploitation.T1190 - Exploit Public-Facing Application: Targeting known vulnerabilities in router firmware falls under this technique.T1078.001 - Valid Accounts: Default Accounts: The use of default SNMP community strings is equivalent to using default credentials.T1589.002 - Gather Victim Identity Information: Email Addresses: Information gathered from router configurations can be used to craft further attacks.A compromised network router provides a significant strategic advantage to an adversary. Potential impacts include:
Given the targeting of critical infrastructure, a successful, widespread campaign could have serious consequences for national security and public safety.
No specific file hashes, IP addresses, or domains were provided in the source articles.
Security teams should consider hunting for the following patterns to identify vulnerable devices or active targeting:
161/udp4786/tcpTFTPRouter Syslogshow running-configThe advisory strongly recommends the following router hygiene practices:
no vstack), and block TFTP at the network edge.Harden router configurations by disabling unused protocols like Cisco Smart Install and TFTP.
Maintain a strict patch management schedule for all network devices to remediate known vulnerabilities.
Use Access Control Lists (ACLs) to restrict management interfaces to trusted IP ranges only.
Enforce strong, unique passwords for all device accounts and use secure protocols like SNMPv3 instead of weak community strings.
The NSA and partner agencies release a joint cybersecurity advisory on Russian targeting of network routers.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.