UK and Allies Warn of Russian Hackers Exploiting Routers Worldwide
Key Takeaways An international coalition, led by the UK, has issued a joint warning regarding widespread targeting of network routers by Russian state-sponsored hackers. Center 16, a unit of...
Key Takeaways
- An international coalition, led by the UK, has issued a joint warning regarding widespread targeting of network routers by Russian state-sponsored hackers.
- Center 16, a unit of Russia’s FSB, is actively exploiting weak configurations and known vulnerabilities in routers globally.
- The threat primarily leverages insecure Simple Network Management Protocol (SNMP) implementations and other known flaws to gain control of devices.
- Critical national infrastructure across various sectors is the primary target, with potential for espionage, data theft, and network disruption.
- Organizations are strongly advised to update security protocols, especially for SNMP, and implement robust access controls.
Global Alert: Russian Hackers Exploit Router Weaknesses
An urgent international advisory has been released, spearheaded by the United Kingdom and its cybersecurity allies, concerning Russian state-backed hacking groups actively compromising inadequately secured routers and network devices worldwide.
Table Of Content
The warning specifically identifies Center 16, a cyber division affiliated with Russia’s Federal Security Service (FSB), as the primary perpetrator. This unit has been observed conducting extensive scans across the internet to pinpoint and exploit vulnerable network infrastructure.
The National Cyber Security Centre (NCSC), an arm of GCHQ, spearheaded the publication of this critical advisory. Partnering agencies included those from the United States, Australia, Canada, Poland, France, Finland, Sweden, and New Zealand, underscoring the global nature of this threat.
These agencies collectively cautioned that Center 16 is systematically capitalizing on misconfigurations, outdated communication protocols, and previously identified security flaws within network hardware.
Center 16 is known by several other monikers within the cybersecurity community, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra.
FSB Unit Targets Critical Infrastructure
Historically, this threat actor has focused its malicious activities on critical national infrastructure and entities within vital sectors such as communications, defense, energy, financial services, healthcare, and governmental organizations.
According to the joint advisory, the group specifically seeks routers exposed to the public internet that utilize default, weak, or recycled credentials for the Simple Network Management Protocol (SNMP).
SNMP is a widely used protocol for monitoring and managing network devices. However, older versions, when not properly secured, can inadvertently expose sensitive information, including community strings, which can be exploited by attackers.
Russian operatives have predominantly relied on SNMP scanning to discover accessible routers and subsequently gain unauthorized control over vulnerable devices.
Beyond SNMP exploitation, Center 16 has also been observed leveraging known Cisco vulnerabilities, specifically weaknesses associated with Cisco Smart Install, and various flaws present in web-based management portals.
Once a router is compromised, attackers can exploit it for a variety of nefarious purposes, including monitoring network traffic, redirecting communications, stealing login credentials, establishing persistent access, or penetrating deeper into a target’s internal network.
The NCSC urged organizations to immediately enhance router security practices and minimize their unnecessary exposure to the internet.
The advisory strongly recommends upgrading from legacy SNMP versions to SNMPv3, which offers significantly improved authentication and encryption capabilities.
Furthermore, organizations should disable SNMP where it is not essential, implement unique and robust passwords for every network device, and restrict administrative protocol access through network segmentation, access control lists (ACLs), and dedicated, trusted management networks.
Jonathon Ellison, NCSC Director of National Resilience, emphasized that Russian cyber actors relentlessly pursue and exploit any discovered vulnerabilities. He urged organizations, particularly those managing critical UK networks, to swiftly adopt the recommended mitigations to reduce their risk of compromise.
This warning coincides with recent sanctions imposed by the UK on individuals and entities implicated in destructive Russian cyber and hybrid operations, including criminal proxy networks linked to Russian intelligence agencies.
Both the UK and EU member states have also formally attributed the December cyberattack against Poland’s energy grid to the FSB’s Center 16. Authorities stated that this incident, had it been successful, possessed the potential to disrupt electricity supplies for civilian populations.
Organizations are further encouraged to pursue Cyber Essentials certification and utilize the updated Cyber Assessment Framework to evaluate their cybersecurity maturity, pinpoint weaknesses, and bolster their resilience against state-sponsored threats.
What You Should Do
- Upgrade SNMP: Migrate from older SNMP versions (v1, v2c) to SNMPv3, which provides robust authentication and encryption.
- Disable Unused SNMP: Turn off SNMP functionality entirely on devices where it is not strictly necessary.
- Strengthen Credentials: Implement unique, complex passwords or passphrases for all network devices and administrative interfaces. Avoid default or weak credentials.
- Restrict Administrative Access: Use network segmentation, firewalls, and Access Control Lists (ACLs) to limit access to management interfaces (like SNMP, SSH, web portals) to only trusted administrative networks and specific IP addresses.
- Regularly Patch and Update: Ensure all router firmware and network device software are kept up-to-date with the latest security patches from vendors.
- Review Configurations: Periodically audit router and network device configurations to identify and remediate any misconfigurations or default settings that could be exploited.
- Implement Multi-Factor Authentication (MFA): Where available, enable MFA for administrative access to network devices.
- Monitor Network Traffic: Implement robust network monitoring to detect unusual activity or unauthorized access attempts to your routers and critical network infrastructure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.