Nine cybersecurity agencies spanning the United States, United Kingdom, Australia, Canada, New Zealand, Estonia, Finland, France, and Italy released a coordinated advisory warning that FSB Center 16 — Russia’s Federal Security Service hacking unit — has been systematically exploiting network routers to reach critical infrastructure organizations globally. The advisory documents a sustained campaign that combines SNMP scanning with a years-old Cisco vulnerability to extract device configurations and map the internal architecture of energy, healthcare, defense, and financial networks.
How FSB Center 16 Uses SNMP Scanning and CVE-2018-0171 to Access Critical Networks
The advisory describes a consistent attack sequence that begins with the group scanning internet-facing routers for devices using default or weak SNMP community strings. SNMP is used for remote device management, and routers still relying on well-known default strings expose their configurations to any attacker who probes for them. After identifying a vulnerable device, FSB Center 16 moves to active exploitation.
CVE-2018-0171 Exploitation and TFTP Configuration File Exfiltration
The group exploits CVE-2018-0171 — a flaw in Cisco’s Smart Install protocol — to execute commands on the targeted router. Attackers then use IP spoofing to copy device configuration files and transmit them to attacker-controlled servers via TFTP (Trivial File Transfer Protocol). Router configuration files contain authentication credentials, routing tables, and internal network topology, giving FSB Center 16 a detailed map of the target organization’s infrastructure without triggering endpoint or server-level security tools. The attack occurs entirely at the network device layer, where most organizations have the least visibility. The advisory confirms CVE-2018-0171 exploitation has been active in this campaign since November 2021.
The group operates under multiple tracking designations across different intelligence communities — Berserk Bear, Energetic Bear, Ghost Blizzard, Static Tundra, Dragonfly, and Crouching Yeti — all referring to the same FSB Center 16 unit.
Six Critical Infrastructure Sectors Under Active FSB Center 16 Targeting
The advisory identifies six sectors under direct threat: energy, communications, defense industrial base, healthcare, financial services, and state and local government. The sector selection reflects Russian state intelligence priorities centered on mapping Western infrastructure with both espionage value and potential disruptive utility. The campaign has persisted for years while relying on an eight-year-old Cisco vulnerability — an indicator that FSB Center 16 found these techniques effective against a substantial proportion of real-world target networks.
The Nine-Country Coalition and the Required Defensive Measures
Co-signatories span the Five Eyes intelligence alliance plus Estonia, Finland, France, and Italy. The inclusion of NATO partners beyond the traditional Five Eyes group signals a collective assessment that FSB Center 16’s router campaign has affected or credibly threatens critical infrastructure across a broader set of Western nations than previous advisories addressed. The joint format prevents individual agencies from issuing disparate warnings that threat actors could treat as geographically bounded.
Four Technical Defenses the Advisory Mandates Against FSB Center 16 Techniques
The advisory specifies four concrete mitigations. Organizations should upgrade to SNMPv3, which adds authentication and encryption absent from earlier versions, closing the community-string scanning entry point FSB Center 16 exploits. Cisco Smart Install should be disabled on any device that does not require it, eliminating the CVE-2018-0171 attack surface. Edge firewalls should block TFTP and SNMP traffic to prevent configuration exfiltration even when earlier controls fail. Finally, organizations should audit and replace end-of-life network equipment that can no longer receive security patches — a direct acknowledgment that aging hardware on unsupported firmware versions is a primary enabling factor in the campaign’s continued effectiveness.
Why This Nine-Country Publication Carries Strategic Weight
Bilateral or Five Eyes advisories are standard instruments of threat communication. A nine-country document signals that signatory agencies collectively assessed FSB Center 16’s activity as requiring a broader coordinated response than private channels or bilateral diplomatic contacts could adequately address.
The advisory does not identify specific compromised organizations or disclose how many networks FSB Center 16 has penetrated. The simultaneous warning across all six sectors suggests the group has achieved demonstrated access within each category, not merely attempted to target them. The combination of default SNMP community strings and an unpatched 2018 Cisco vulnerability remaining effective against production networks in 2026 is a direct indicator of how infrequently foundational network device security receives the same sustained attention as endpoint and application security in many operational environments. Organizations running Cisco devices with Smart Install still enabled and SNMP configured with default community strings should treat this advisory as confirmation of active targeting against infrastructure of their type.
