The FBI and 18 of the world’s top cyber agencies are urging companies to clean up their router hygiene following a spate of Russian cyberattacks via “poorly configured networking devices."
The international group of agencies published a joint advisory on Monday to highlight the methods used by the Russian Federal Security Service’s (FSB) Centre 16 group, including the exploitation of multiple Cisco CVEs.
FBI Cyber Division Assistant Director Brett Leatherman said: “Russian state-sponsored cyber actors have spent years quietly extracting configuration data from poorly configured routers across critical infrastructure.”
Companies most at risk are in critical infrastructure sectors such as communications, defence, energy, financial services, healthcare, and government services, particularly at state and local levels.
What’s the risk?
The advisory warned attackers were using proxies to scan for Internet IP ranges with Simple Network Management Protocol (SNMP) agents they could instruct to copy their device’s configuration to a file, often config.bkp or output.txt, and transfer it to a controlled VPS or FTP server.
Additionally, the group had been spotted breaking into Cisco devices and the Cisco Smart Install function and web portals using the long-exploited vulnerabilities CVE-2018-0171 and CVE-2008-412813.
See also: Cisco Firewall 0day exploited in ransomware attacks
The group, which includes the UK’s NCSC and counterparts in Australia, Finland, Canada, France and Estonia, said companies should disable Cisco Smart Install, which has already been made defunct by the networking company but persists in older devices.
Other mitigations included using SNMPv3 with authPriv, restricting access to SNMP Object Identifiers (OIDs) against a vendor-specific Management Information Base allow list, and using Access Control Lists to limit management protocols to management devices.
Router attacks
While the specific warning is new, global intelligence agencies have warned of Russian groups targeting routers for years. In 2023, the NCSC, FBI, CISA and NSA said the Russian APT28 group had been exploiting Cisco routers for its attacks since at least 2021.
Forescout’s 2025 threat roundup report found network infrastructure devices were the second most exploited devices last year, while its 2026 riskiest devices report said routers accounted for a third of the most dangerous vulnerabilities for enterprises.
In April, the NCSC also warned that APT28 was again targeting routers as part of its DNS hijacking operations, compromising small office and home office routers to enable adversary-in-the-middle attacks and harvest credentials.