
Russian FSB Center 16 router attacks now sit at the center of a sweeping international warning. A joint Cybersecurity Advisory distributed through the NJCCIC, and later published as AA26-194A, details how these state-sponsored operators steal network configurations from poorly secured devices. Nineteen agencies across thirteen nations co-sealed the document. Consequently, the message carries unusual weight for critical infrastructure defenders.
Who These State-Sponsored Hackers Really Are
Center 16 of the FSB of Russia serves as the signals intelligence branch of the Federal Security Service of the Russian Federation. Other aliases include Berserk Bear, Energetic Bear, Dragonfly, Crouching Yeti, Ghost Blizzard, and Static Tundra, even though the missions remain the same: long-term espionage on strategic networks.
In addition, this entity has been operating since 2010 at minimum, with a 2022 Department of Justice indictment of three FSB officers formally linking them to this group. Consequently, the July 2026 advisory presents the most detailed articulation of their techniques publicly available.
How The Router Hijacking Actually Works
The method used is surprisingly simple and low-tech. Instead of exploiting zero-day vulnerabilities, the threat actor uses their scanners to search the web for routers that have default or easily hackable community strings when using SNMP.
The steps are outlined in the following order:
- First, the proxies scan IP addresses for any routers that have SNMP agents that accept the default community strings, such as ‘public’.
- Second, fake Set-Requests are sent to copy configuration from router and store them in a file.
- Third, the file is then transferred to an attacker’s server using Trivial File Transfer Protocol.
At times, they exploit CVE-2018-0171, which is a critical vulnerability of the Cisco Smart Install feature with a CVSS score of 9.8.
Additionally, they rely on the end-of-life vulnerability of CVE-2008-4128, which targets older devices.
These files provide important information and credentials, network topology, and SNMP strings. Later on, the hackers pivot to other systems and modify access control lists.
CENTER 16 ROUTER ESPIONAGE
Since 2015 the group has planted the SYNful Knock implant on Cisco gear, rerouted traffic through GRE tunnels, and tampered with TACACS+ logging to stay hidden while mapping network topology.
Hardest hit sectors: communications, energy, defense, finance, healthcare, and state/local government, all places running lean IT teams on legacy hardware.
- Low-tech entry: default SNMP strings and an 8-year-old Cisco bug, no zero-day needed.
- Built to persist: the SYNful Knock implant survives reboots, wakes on a crafted packet.
- Scale: thousands of device configs collected in the past year alone, per the FBI.
- Old bugs still bite: CVE-2018-0171 has a fix, most victims never applied it.
A Decade Of Quiet Infrastructure Mapping
Historically, this group thinks in years, not weeks. Since 2015, it has deployed custom tooling on Cisco gear, including the notorious SYNful Knock firmware implant. That implant survives reboots and activates through a crafted TCP “magic packet.”
The technical fingerprint runs deeper still. Static Tundra sets up Generic Routing Encapsulation tunnels to redirect traffic of interest toward attacker infrastructure. Meanwhile, it harvests NetFlow data to map who talks to whom. It even alters TACACS+ settings to blind remote logging.
The advisory maps this activity to the MITRE ATT&CK framework. Notably, the mapped behavior spans reconnaissance, credential access, collection, and exfiltration over alternative protocols.
The Sectors Squarely In The Crosshairs
Certain industries face elevated risk. According to the advisory, the most targeted sectors include:
- Communications
- Defense Industrial Base
- Energy
- Financial Services
- Government Services and Facilities, especially state and local
- Healthcare and Public Health
State and local governments deserve special attention. Because they often run lean IT teams and legacy gear, they present soft targets for patient adversaries.
Real-World Stakes And Hard Numbers
In an August 2025 public service announcement, the FBI stated that, “In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors.” On some devices, the operators altered configurations to reopen the door later.
The scale has deep roots. The 2022 DOJ indictment alleged that the earlier Dragonfly/Havex supply-chain phase “installed malware on more than 17,000 unique devices” between 2012 and 2014. Furthermore, follow-on spearphishing targeted “more than 3,300 users at more than 500 U.S. and international companies,” and compromised the business network of the Wolf Creek Nuclear Operating Corporation in Kansas.
Exposure remains stubbornly high. Internet scans continue to find over 1,200 Cisco Smart Install devices reachable on port 4786. Additionally, security researchers have long documented hundreds of thousands of devices leaking data through exposed SNMP.
On December 29, 2025, a destructive attack struck “more than 30 wind and photovoltaic farms” and a combined heat and power plant “supplying heat to almost half a million customers” in Poland, using the DynoWiper and LazyWiper wiper malware. CERT Polska tied the operation’s infrastructure to this FSB cluster, yet attribution stays partly contested. The incident shows how quiet reconnaissance can precede attempted sabotage.
Why Old Bugs Still Bite
However, CVE-2018-0171 has already been fixed in March 2018. However, it is still alive because companies fail to patch devices, sometimes even those that have reached their end of life. Nowadays, edge devices become more attractive for hackers, while industry reports indicate that the exploitation of network perimeters’ equipment is growing every year.
In general, this bulletin represents a new perspective on routers, positioning them as a target, but not just some plumbing. With the hacked router, a nation-state operator gets an opportunity to observe all traffic flowing after it.
Conclusion: When the Router Becomes the Espionage Platform
The FSB Center 16 campaign shows why routers can no longer be treated as background infrastructure. A poorly configured network device can reveal credentials, topology, access rules, traffic patterns, and the paths attackers need to move deeper into critical systems.
The methods are not new. That is what makes the campaign more serious.
Default SNMP strings, exposed management services, end-of-life hardware, and an eight-year-old Cisco vulnerability are still enough to support global espionage.
Why This Threat Matters
Center 16 targets the network layer because controlling the router creates visibility and reach that endpoint access alone may not provide.
- Default SNMP community strings expose configuration data
- Cisco Smart Install can create an unauthenticated attack path
- Router backups can reveal credentials and network topology
- GRE tunnels can redirect traffic toward attacker infrastructure
- SYNful Knock can provide persistent access on compromised devices
- TACACS+ changes can weaken logging and delay investigation
- Legacy infrastructure gives patient attackers years of opportunity
Once the router is compromised, the attacker can observe the network, alter trusted paths, and prepare the next stage without deploying obvious malware immediately.
Where Xcitium Changes the Outcome
This attack must be addressed first at the network edge, then at the point where stolen access becomes execution inside the environment.
Xcitium Vulnerability Assessment is the primary control for this scenario. It helps organizations identify exposed SNMP services, reachable Smart Install interfaces, vulnerable Cisco devices, end-of-life infrastructure, weak configurations, and patch gaps before attackers turn router access into long-term espionage.
If attackers use compromised network access to run tools, scripts, payloads, or lateral movement activity on managed endpoints and servers, Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance.
Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
Security teams gain proof of what unknown execution could not do.
This is the correct sequence of control.
Expose the weak edge.
Close the trusted path.
Govern execution when attackers attempt to pivot.
Harden the Edge. Govern the Pivot.
The Center 16 advisory proves that sophisticated espionage does not always require zero-days. Weak configurations, old protocols, and forgotten network devices can create enough access for a nation-state actor.
Replace end-of-life devices.
Disable Cisco Smart Install.
Move from SNMPv1 and SNMPv2 to SNMPv3.
Restrict management access.
Govern unknown execution before network access becomes system impact.