
The U.S. National Security Agency (NSA) issued an alert Monday attributing a systematic campaign to compromise routers and other network devices with weak or outdated configurations to Center 16 of Russia’s Federal Security Service (FSB). The advisory, produced in cooperation with 17 cybersecurity organizations from 11 other countries, lists the most exposed sectors — defense, energy, communications, finance, government facilities and health — and urges operators to implement measures to close the access paths that Russian attackers have exploited for more than a decade.
The Washington notice was not isolated. Hours earlier, the U.K. National Cyber Security Centre (NCSC), part of GCHQ, published a parallel guide with the same focus: Center 16 acts opportunistically against strategic networks worldwide, and basic misconfigurations in network devices remain its primary entry point. The coordinated release of both advisories coincided with the first joint sanctions announced by London and Brussels against members of that FSB unit since Brexit. The immediate trigger was the December 29, 2025 attack on Poland’s power grid, formally attributed to Center 16, which could have left about 500,000 people without electricity in mid-winter. The malware used, DynoWiper, is a destructive tool historically linked to Russian state operations. The attack ultimately failed, but only narrowly.
The technical mechanism described in the alert is telling. Center 16 scans the internet for routers still using default passwords or insecure SNMP community strings — keys such as “public” or “private” that manufacturers include by default and many administrators never change. Once a vulnerable device is identified, operators issue SNMP commands to copy its configuration file and redirect it, via the TFTP transfer protocol, to servers they control. That file effectively provides a complete map of the network: routing tables, firewall rules, stored credentials and subnet architecture. For intelligence operations seeking to understand a network’s interior without triggering intrusion-detection systems, that document can be more valuable than most conventional malware, the advisory says.
The NSA and its partners — including CISA, the FBI and agencies from Australia, Canada, New Zealand, the Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland and Sweden — say the group, also tracked under names such as Berserk Bear, Energetic Bear, Dragonfly or Static Tundra, has been active since at least the early 2010s. In addition to abusing SNMP, it has exploited known flaws in Cisco Smart Install and in device management web portals. Since August 2025, the FBI had already documented the collection of configuration files from thousands of devices tied to U.S. critical infrastructure. Monday’s alert expands that assessment with new tactics and adds a notable detail: Center 16’s techniques partially overlap with those used by a China-linked actor known as Salt Typhoon, suggesting the vulnerabilities exploited by Moscow are the same ones other foreign intelligence services exploit.
The recommended measures are technically straightforward: adopt SNMP version 3 — the only version offering strong authentication and encryption — disable Cisco Smart Install, enforce unique, strong passwords on every network device, block TFTP and SMI protocols at the firewall, and keep device firmware up to date.
The tempo of incidents attributed to Russia against European infrastructure has increased in recent months. In April 2026, Sweden reported that an FSB-linked group had attacked a district heating plant. France has attributed intrusions in 2014 against ministerial systems and in February 2025 against a defense-industry research institute to the same operational environment. The Kremlin has repeatedly denied any involvement. The coordination of 18 agencies from 12 countries to publish a technical guide, impose sanctions and formally attribute a specific attack is the broadest Western response to date, though Center 16’s record —more than a decade of sustained operations with few visible consequences— raises reasonable doubts about how effective this response will be as a deterrent.
