At a glance
| Actor / group | Russian FSB Center 16 (aka Berserk Bear, Dragonfly, Static Tundra) |
| Activity | SNMP scanning and exploitation of routers; config theft |
| Targets / victims | Critical infrastructure worldwide across many sectors |
| Scale | Decade-plus activity; victim count not disclosed |
| Status | Joint advisory by 20+ agencies; no arrests |
| Source | NSA, CISA, FBI, and allied Joint Cybersecurity Advisory |
TL;DR
More than 20 agencies have issued a joint alert about Russian state hacking. They say FSB Center 16 keeps exploiting weak routers worldwide. The group hunts critical infrastructure through poor SNMP settings and default credentials.
What happened
The NSA, CISA, FBI, and allies published the advisory in July 2026. It builds on an earlier FBI warning about the same decade-long activity. According to the alert, FSB Center 16 actors “continue to exploit poorly configured and vulnerable networking devices worldwide.”
The group mainly scans the internet for devices running old SNMP versions. Then it uses default community strings to read and copy router configs. It sends stolen files to leased servers over TFTP. The team also flagged two older Cisco flaws the actors have used.
Who is behind it
The agencies attribute the campaign to Russia‘s FSB Center 16. Industry teams track related activity as Berserk Bear, Dragonfly, and Static Tundra. Some methods also overlap with the group known as Salt Typhoon. Still, the agencies name a state unit, not any individual.
Impact and scale
The targeting spans many critical sectors. These include energy, communications, defense, finance, government, and healthcare. Because routers sit at the network edge, one weak device can expose a whole network. FSB Center 16 can then watch traffic or move deeper inside.
The advisory does not give a victim count. Even so, it frames the threat as broad and ongoing.
How to stay protected
The authoring agencies “strongly urge device owners and network defenders to take mitigation and remediation actions.” First, switch to SNMPv3 and drop SNMPv1 and v2. Next, disable Cisco Smart Install where you do not need it. Also block TFTP, SMI, and SNMP at the edge firewall. Then monitor SNMP requests for OIDs that copy device configs. Finally, patch old devices and retire end-of-life gear. For the full guidance, read the UK NCSC and allied advisory.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.