American and international cybersecurity authorities have warned that hackers supported by the Russian government continue to exploit old or unsecured routers to penetrate critical infrastructure networks, as part of a cyber espionage campaign that has been ongoing for more than ten years.

The warning came in a joint statement issued by the US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), in cooperation with a number of international partners.

The statement indicated that the group linked to “Center 16” of the Russian Federal Security Service (FSB) continues to target vulnerable network devices, especially in vital sectors such as energy, healthcare, and government agencies.

How are hacking operations carried out?

According to experts, attackers rely on searching for routers directly connected to the Internet and running outdated versions or with insecure settings of the SNMP network management protocol.

When these devices use default logins or weak passwords, attackers can exploit them to obtain network settings files and send them to servers they control, giving them important information about the nature of the targeted network.

The group also exploits known vulnerabilities in some old Cisco devices, in addition to misusing the Cisco Smart Install feature, which may remain activated even after the device is set up, which constitutes a potential entry point for attackers.

Why are routers dangerous when neglected?

Although routers may seem like simple targets, they contain sensitive information that can help attackers understand network architecture, including:

  • Network login data.

  • Internal network settings.

  • Infrastructure details and communication paths between systems.

This information can be used to accurately map the network and identify the most important systems to target later.

The security agencies confirmed that the primary goal of these operations is not to carry out direct sabotage attacks, but rather to collect information and establish a long-term hidden presence within networks, which can be exploited in the future in accordance with Russian strategic goals.

Preventive measures recommended by security authorities

The agencies called on organizations to enhance the protection of their networks through a set of measures, most notably:

  • Replace routers that have stopped receiving security updates.

  • Update firmware to the latest available versions.

  • Disable the Cisco Smart Install feature when it is not needed.

  • Moving from SNMPv1 and SNMPv2 to SNMPv3 because it provides stronger protection through authentication and encryption.

  • Use strong, unique passwords for each device.

  • Restrict access to network management systems to trusted devices and users only.

  • Monitor unusual login attempts and suspicious activities within the network.

The security authorities stressed that these measures represent the basics of cyber protection, and that neglecting them may give government-backed parties the opportunity to infiltrate networks without the need to use complex hacking techniques. It also called on organizations to conduct a comprehensive review of all network devices connected to the Internet, especially old devices that no longer receive security updates.