US Allies Warn About Russian Cyber Threats to Critical Infrastructure

www.news4hackers.com-us-allies-warn-about-russian-cyber-threats-to-critical-infrastructure-us-allies-warn-about-russian-cyber-threats-to-critical-infrastructure

US and allies warn of Russian critical infrastructure attacks

Cybersecurity authorities from the United States and eight additional nations have released a joint alert detailing ongoing efforts by Russian state-sponsored hackers to exploit insecure router configurations within critical infrastructure networks.

The advisory, coordinated by the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA), alongside 15 counterparts from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France, and Italy, identifies the perpetrators as operatives from the Russian Federal Security Service (FSB) Center 16.

This group, known by multiple designations including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra, employs tactics involving internet-wide scans for routers with default or commonly used Simple Network Management Protocol (SNMP) authentication credentials.

Once identified, the actors deploy spoofed IP addresses to execute commands that extract device configuration files and transmit them via the Trivial File Transfer Protocol (TFTP) to infrastructure controlled by the threat group.

In August 2025, the FBI highlighted that the same collective has leveraged a critical flaw in the Smart Install feature of Cisco IOS and Cisco IOS XE software (CVE-2018-0171) since November 2021 to compromise critical infrastructure.

The sectors most vulnerable to these incursions encompass energy, telecommunications, defense industrial base operations, healthcare, financial services, defense systems, and state and local government networks.

The UK National Cyber Security Centre (NCSC) noted that the group primarily relies on SNMP scans to identify susceptible routers but has also exploited well-documented vulnerabilities in Cisco devices, including flaws within the Smart Install (SMI) feature and web-portal weaknesses to seize control of network equipment.

The advisory outlines specific countermeasures for organizations to strengthen their defenses. These include transitioning to SNMPv3, deactivating Cisco Smart Install, implementing robust and unique passwords, restricting TFTP and SNMP traffic through edge firewalls, updating software and firmware, and replacing outdated hardware.

The FBI further emphasized the importance of these steps in mitigating the risk of exploitation.

This alert follows a multinational law enforcement initiative that dismantled FrostArmada, a separate campaign linked to APT28—a Russian military intelligence group associated with GRU unit 26165, also referred to as Fancy Bear and Forest Blizzard.

This operation, which targeted 18,000 routers across 120 countries by December 2025, involved altering DNS settings on compromised MikroTik and TP-Link small office/home office (SOHO) devices to redirect authentication traffic to malicious servers.

The objective was to intercept Microsoft 365 login credentials and OAuth tokens.

As part of a court-authorized effort supported by the U.S. Department of Justice, the Polish government, and several cybersecurity firms, the FBI remotely corrected malicious DNS configurations, forcing affected devices to connect to legitimate DNS resolvers.

Organizations are urged to conduct comprehensive security assessments to identify and address vulnerabilities before adversaries exploit them.

Security teams report that 54% of successful breaches go undetected until after they occur, with only 14% triggering timely alerts.

A recent analysis by Picus highlights the effectiveness of breach and attack simulation in validating security controls, ensuring that detection systems effectively identify threats.

The advisory underscores the persistent threat posed by state-sponsored actors and the necessity for proactive cybersecurity measures to protect essential services from disruption.



About Author

en_USEnglish