CISA, Partners Urge Router Hygiene to Counter State-Sponsored Russian Hacking

Russian actors continue to exploit vulnerabilities in Cisco devices and network management portals.

Russian Hacker Dmitry Nogaev
istock.com/DmitryNogaev

Article Summary

Russian actors continue to exploit vulnerabilities in Cisco devices and network management portals.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Defense Cyber Crime Center (DC3), and international partners released a joint cybersecurity advisory, Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting, addressing ongoing opportunistic exploitation of vulnerable networking devices by Russian Federal Security Service (FSB) Center 16 cyber threat actors.

This advisory builds on the FBI’s August 2025 public service announcement, providing updated information on the tactics, techniques, and procedures used by Russian FSB cyber threat actors who continue to target critical infrastructure—including the Communications, Defense Industrial Base, Energy and Government Services and Facilities by scanning for and exploiting poorly configured routers and network devices.

Russian FSB Center 16 actors have been observed exploiting multiple vulnerabilities in Cisco devices and network management portals, including CVE-2018-0171 and CVE-2008-4128. Both are listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, with CVE-2008-4128 added today.

The advisory outlines practical steps organizations can take to harden their networks against exploitation, such as upgrading device configurations, enabling stronger authentication protocols, and monitoring for suspicious activity. 

Several industry stakeholders also offered their thoughts on the advisory and ongoing situation.

Matthew Hartman, Chief Strategy Officer at Merlin Group 

"The techniques in this advisory are not new, however, the breadth of international attribution should remove any doubt that this remains an active and coordinated threat to critical infrastructure. Organizations should treat internet-facing network infrastructure as a priority attack surface by eliminating default credentials, restricting management interfaces, and ensuring that routers receive the same level of monitoring and patching as other critical systems."

Louis Eichenbaum, Federal CTO at ColorTokens

"The most important takeaway from this campaign is that sophisticated adversaries continue to exploit relatively basic weaknesses because they know those weaknesses still exist. This is especially true with our OT systems that manage our critical infrastructure as they often use legacy components.  

"Default credentials, exposed management interfaces, and flat networks remain common across critical infrastructure. Organizations should assume that perimeter devices will eventually be compromised and focus on building resilience through visibility, least privilege, and microsegmentation. 

"Immediately Inventory all routers, switches, firewalls, and network devices. Remove all default SNMP strings such as public, private and vendor defaults.  Use long, complex authentication strings. Even better, implement SNMPv3 with authentication, encryption and role-based access controls. Disable TFTP where possible. Replace it with SCP, SFTP and Secure APIs.

"Microsegmentation represents one of the most effective long-term defenses against campaigns like this. The attack may begin with the compromise of a network device, but the more important question is what happens next. Can the attacker move from that device to engineering workstations, domain controllers, operational technology systems, or other high-value assets? 

"Identity-based microsegmentation helps answer that question by limiting blast radius, preventing lateral movement, restricting access to critical resources, protecting OT environments, and effectively blinding adversaries to attack paths that lead to mission-critical systems. Organizations should assume that a router or other perimeter device will eventually be compromised. The objective is not simply to prevent the initial intrusion, but to ensure that the compromise cannot spread and create operational consequences." 

John Gallagher, Vice President at Viakoo

"These attacks work purely from a numbers perspective. It's an opportunistic campaign looking for poor cyber hygiene, such as leaving Cisco's Smart Install active or not using strong passwords. The root-level concern is that too many organizations practice poor firmware, password, and certificate management, which leaves them open to opportunistic attacks. 

"Organizations can take the following actions to defend against this:

  • Migrate to SMNPv3 to prevent initial infection.
  • Restrict management access by blocking high risk ports unless there is strictly monitored exceptions granted.
  • Maintain firmware on the latest/safest version, and have a policy for password and certificate rotations." 
More in Cybersecurity