UK and allies call for stronger router security amid Russian intelligence targeting

The UK and 18 partner agencies from 12 countries have issued a joint advisory urging organisations in critical sectors to improve the security of internet-connected routers and other network devices....

The UK and 18 partner agencies from 12 countries have issued a joint advisory urging organisations in critical sectors to improve the security of internet-connected routers and other network devices. The warning focuses on activity attributed to Centre 16, a cyber unit of Russia’s Federal Security Service (FSB).

The group, also known by aliases including Berserk Bear, Energetic Bear, Dragonfly and Static Tundra, has reportedly scanned the internet for routers using default or weak Simple Network Management Protocol (SNMP) credentials. Compromised devices can provide attackers with access to networks and create opportunities for further reconnaissance or intrusion.

According to the advisory, the actors have also targeted Cisco devices, including systems running the Smart Install feature, and exploited vulnerabilities in web-based management portals. The activity has affected networks associated with critical national infrastructure around the world.

The guidance calls on organisations in communications, defence, energy, financial services, government and healthcare to address basic weaknesses in network-device configuration. Recommended steps include:

  • Using SNMPv3 and disabling older SNMP versions where they are not required.
  • Replacing default credentials with strong, unique passwords.
  • Restricting access to management interfaces and protocols through appropriate network controls.
  • Identifying and patching vulnerable routers, switches and related devices.

Jonathon Ellison, the National Cyber Security Centre’s director of national resilience, said the recommendations were intended to help network defenders reduce the risk posed by Russian intelligence operations. The NCSC also encouraged organisations to use the Cyber Essentials scheme and the updated Cyber Assessment Framework to evaluate their security posture and improve resilience.

The advisory was released alongside UK sanctions against 24 people and entities accused of involvement in destructive cyber and hybrid operations, including criminal networks linked to Russian intelligence services. The UK and European Union member states also attributed a December 2025 attack on Poland’s energy grid to FSB Centre 16, saying a successful incident could have disrupted electricity supplies for up to 500,000 civilians.

Contributors to the advisory included agencies from Australia, Canada, Czechia, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden and the United States.