Enable breadcrumbs token at /includes/pageheader.html.twig

Cyber Defense Agencies Release Advisory on Russian State-Sponsored Targeting

CISA, the FBI and international partners share tactics, techniques and procedures to mitigate Russian cyber actors' attacks on critical infrastructure.

 

The Cybersecurity and Infrastructure Security Agency (CISA) announced Tuesday it has collaborated with the National Security Agency, FBI, Defense Cyber Crime Center and several international partners to release a joint cybersecurity advisory titled “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting.”

The advisory builds on the FBI’s service announcement in August 2025, attributing malicious cyber activity to the Russian Federal Security Service Center 16.

"Russian state-sponsored cyber actors have spent years quietly extracting configuration data from poorly configured routers across critical infrastructure," said Assistant Director Brett Leatherman of the FBI's Cyber Division. "This advisory gives network defenders the visibility to spot this activity and the mitigations to counter it. The FBI will work with our partners to continue to expose this tradecraft and hold these actors accountable."

According to the CISA press release, the advisory warns that Russian cyber actors are targeting vulnerable networks within critical infrastructure sectors, specifically communications, defense industrial base, energy, financial services, government services and facilities, and health care and public health.

Threat actors are primarily taking advantage of poorly configured routers and other common vulnerabilities to gain unauthorized access, exfiltrate sensitive configurations and act maliciously, the release said.

The most notable cyber threat group names listed in the advisory are Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.

 

 

 

 

 

 

 

 

Image
FSB Center 16 activity and recommended mitigation actions. Credit: "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting" cybersecurity advisory
Figure 1: FSB Center 16 activity and recommended mitigation actions. Credit: "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting" cybersecurity advisory

 

 

According to the advisory, actors use active simple network management protocol (SNMP) agents to scan for internet IP ranges that accept common or default community strings for authentication. Community strings are passwords that have been shared online in plain text that can be easily intercepted by malicious cyber actors.

The advisory recommends restricting access to management interfaces and firewall devices; strengthening authentication and data encryption protocols; securing weak internet-facing systems; and looking for suspicious activity. Specifically, the agencies advise disabling Cisco Smart Install, SNMPv1 and SNMPv2, and replacing it with SNMPv3, which adds stronger authentication and data encryption.

In the Office of the Director of National Intelligence’s 2025 Annual Threat Assessment of the U.S. Intelligence Community, Russia was identified as an advanced cyber threat.

“Moscow’s unique strength is the practical experience it has gained integrating cyber attacks and operations with wartime military action, almost certainly amplifying its potential to focus combined impact on U.S. targets in time of conflict,” the threat assessment read.

To strengthen defenses against Russian cyber actors, CISA collaborates with partners, including internet service providers, original equipment manufacturers and global cyber agencies, and participates in the Joint Ransomware Task Force.

“CISA continues to work with domestic and global partners to highlight the ongoing threat of nation-state actors targeting vulnerable network devices,” said Acting Executive Assistant Director for Cybersecurity Chris Butera. “The advisory provides a timely and urgent reminder of actions for critical infrastructure owners and operators to counter Russian state-sponsored activity. CISA urges network defenders to implement mitigation and remediation measures to reduce your attack surface and risk of exploitation.”  

 

Comments

The content of this field is kept private and will not be shown publicly.

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying The Cyber Edge?