Russia’s FSB Center 16 exploits vulnerable routers with SNMP

0
1


Allied cybersecurity agencies have detailed the exploitation of vulnerable routers via SNMP and Cisco Smart Install by Russia’s FSB Center 16.

Authored by the NSA, CISA, FBI, and the Department of Defense Cyber Crime Center, the joint cybersecurity advisory was co-signed by centres in Australia, Canada, New Zealand, the UK, Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden.

The agencies tie more than ten years of this activity to industry names including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra, while noting public labels do not always match their own analytic tracks one-for-one.

FSB Center 16 actors scan internet-facing IP ranges for devices that still accept common or default SNMP community strings. Proxied SNMP Set-Requests spoof source addresses and instruct mismanaged agents to dump the running configuration into files typically named config.bkp or output.txt. Those files then transfer over TFTP to leased virtual private servers or previously compromised FTP hosts under actor control.

The actors also exploit Cisco Smart Install where it remains enabled, and occasionally weaponise known defects including CVE-2018-0171 and the end-of-life-only CVE-2008-4128. Web management interfaces on edge devices receive secondary attention. Many of the observed collection and exfiltration techniques overlap with patterns seen from other operators such as Salt Typhoon, so the published mitigations apply more broadly than Russian activity alone.

Priority sectors listed by the agencies include communications, the defence industrial base, energy, financial services, government services and facilities at state and local levels, and healthcare and public health.

Paul Asadoorian, Principal Security Researcher at Eclypsium, commented: “CISA’s advisory is another reminder that attackers have long understood the easiest path is through under‑monitored device hardware controls at the network edge.

“The infrastructure we rely on every day is increasingly a prime target for state‑sponsored operations exploiting older SNMP implementations and Cisco Smart Install—issues identified decades ago. These well‑known flaws remain effective initial access vectors because routers and other foundational devices are less monitored, more stealthy, and allow persistence even through updates.

Compromised edge routers give durable footholds because administrators often leave management protocols open for convenience, yet rarely subject them to the same continuous monitoring applied to servers or endpoints. Configuration files harvested over SNMP frequently embed weak Cisco Type 0, Type 4, or Type 7 password hashes, which turn a single SNMP misstep into broader lateral movement opportunities.

“Eclypsium supports CISA’s call for improved router hygiene. When the foundation is compromised, the entire security stack is weakened,” explained Asadoorian.

“Organisations need visibility, integrity verification, and continuous trust in their hardware and components to stay resilient against nation‑state threats. Establishing trust in your network infrastructure before, during, and after deployment is critical to reducing the risk of compromise and maintaining resilience against nation‑state actors.”

The allied cybersecurity agencies have published concrete configuration and network-control steps that organisations can apply without waiting for new vendor features:

Tactical network hardening

Network teams must prioritise disabling Cisco Smart Install on every device where it is still active. Devices should also transition to SNMPv3 utilising authPriv and the strongest encryption supported by the platform, ensuring all read-write community strings are entirely removed. In instances where legacy SNMP versions remain strictly required, community strings must be changed from factory defaults and restricted to read-only access.

Local device accounts require long, unique passwords hashed with Type 8, completely retiring older Type 0, 4, and 7 variants. Administrators should deploy Access Control Lists to strictly isolate SNMP, TFTP, and Smart Install communications to management subnets, aiming for completely out-of-band operations whenever feasible.

Edge firewalls must be configured to block untrusted connections targeting UDP 69 (TFTP), TCP 4786 (SMI), and standard SNMP ports, including both UDP 161-162 and TCP/UDP 10161-10162. When business needs require an exception, security teams should demand documented justifications and drastically elevate logging for those pathways.

Detection, visibility, and threat hunting

On the monitoring side, locking down which Object Identifiers (OIDs) outside stations are allowed to query using MIB allow-lists is an effective deterrent. You need to keep a close eye on the Cisco Config Copy OIDs located at 1.3.6.1.4.1.9.9.96.1.1, alongside the companion Config Copy Server Address OID. That latter OID can show you exactly where an attacker is trying to send your dumped configuration file.

Make sure your Intrusion Detection Systems are set to trigger alerts whenever inbound Set-Requests contain these identifiers. Also, since your normal daily admin tasks should already be running through centralised portals backed by multi-factor authentication, any sudden logins from local device accounts should be treated as a red flag that warrants an immediate response.

Organisations should conduct routine attack-surface scanning on all external-facing assets to identify lingering vulnerabilities. Critical infrastructure operators in the US can get this done for free via CISA’s Cyber Hygiene Services, and defence contractors can tap into the NSA’s DIB Cybersecurity Services.

See also: US leads internet outage preparedness ranking

Banner for Cyber Security Expo by TechEx events.

Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the AI & Big Data Expo. Click here for more information.

Telecoms is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.


👇Follow more 👇
👉 bdphone.com
👉 ultractivation.com
👉 trainingreferral.com
👉 shaplafood.com
👉 bangladeshi.help
👉 www.forexdhaka.com
👉 uncommunication.com
👉 ultra-sim.com
👉 forexdhaka.com
👉 ultrafxfund.com
👉 bdphoneonline.com
👉 dailyadvice.us

LEAVE A REPLY

Please enter your comment!
Please enter your name here