(TLP:CLEAR) CISA and Partners Urge Improved Router Hygiene to Counter Russian State-Sponsored Targeting
Created: Thursday, July 16, 2026 - 14:53
Categories: Cybersecurity, Federal & State Resources, Security Preparedness
Summary: On Monday, CISA and other federal and international partners released a joint advisory, “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting,” detailing ongoing exploitation of poorly configured and vulnerable networking devices by Russian Federal Security Service (FSB) Center 16 actors, tracked commercially as Berserk Bear, Dragonfly, and Static Tundra. These actors primarily scan for devices accepting default Simple Network Management Protocol (SNMP) community strings, then exfiltrate device configurations over the TFTP protocol. They have also exploited CVE-2018-0171 and CVE-2008-4128 in Cisco devices, both now listed in CISA’s Known Exploited Vulnerabilities catalog.
Analyst Note: This activity is opportunistic, meaning any utility with an exposed, misconfigured router is a potential target regardless of size. Compromised edge devices can yield credentials and network configurations that enable deeper access into OT environments. WaterISAC encourages members to review the advisory’s mitigations, including:
- Migrate to SNMPv3 and disable SNMPv1/v2 and default community strings.
- Disable Cisco Smart Install.
- Block TFTP, SMI, and SNMP ports at edge firewalls.
- Patch or replace end-of-life network devices.
Members can report suspicious activity to WaterISAC and CISA.
Original Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a
Additional Reading:
- FBI PSA: Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure
- NSA CSI: Reducing the Risk of SNMP Abuse
- NSA Network Infrastructure Security Guide
Related WaterISAC PIRs: 6, 7, 7.1, 8, 10, 12
