Russian hackers exploit weak router security to breach critical infrastructure, Western allies warn

Alena Butusava/Getty Images
The guidance comes as the United Kingdom and European Union blamed a major Russian intelligence unit for an attempted attack on Poland’s power grid last year.
Russian state-backed hackers tied to Moscow’s FSB Federal Security Service are continuing to breach critical infrastructure networks around the world by exploiting routers and other networking devices protected by weak credentials or running outdated technology, the United States and 12 partner nations warned Monday.
The joint advisory said operators from FSB’s Center 16 signals intelligence unit have been working to opportunistically compromise infrastructure organizations across the communications, defense industrial base, energy, financial services, government facilities and health care sectors using the poor router configurations.
The advisory was issued by the NSA, Cybersecurity and Infrastructure Security Agency, FBI and Defense Department Cyber Crime Center, alongside agencies from Australia, Canada, New Zealand and others.
“This is an ongoing issue that has impacted various U.S. and foreign networks across multiple sectors,” the National Security Agency said in a statement accompanying the advisory.
Center 16 operators have also exploited Cisco’s Smart Install feature, web portals used to manage network devices and at least two Cisco vulnerabilities. One of the flaws was logged Monday in CISA’s Known Exploited Vulnerabilities catalog, which tabulates cyber vulnerabilities that have been leveraged by hacker groups.
The guidance comes the same day the United Kingdom and European Union formally blamed Center 16 for a failed December 2025 cyberattack against Poland’s energy grid. UK officials said the operation could have cut electricity to roughly 500,000 people during the winter.
“We strongly condemn Russia’s behaviour and misuse of this cyber ecosystem, targeting public services and critical infrastructure, causing disruptions and financial losses,” EU foreign policy chief Kaja Kallas said.
Former U.S. officials urged organizations to shore up their routers’ cyberdefenses.
“Organizations should treat internet-facing network infrastructure as a priority attack surface by eliminating default credentials, restricting management interfaces, and ensuring that routers receive the same level of monitoring and patching as other critical systems,” said Matt Hartman, the chief strategy officer at Merlin Group who has held several senior roles at the Cybersecurity and Infrastructure Security Agency.
“Organizations should assume that a router or other perimeter device will eventually be compromised. The objective is not simply to prevent the initial intrusion, but to ensure that the compromise cannot spread and create operational consequences,” said Lou Eichenbaum, the former chief information officer at the U.S. Department of the Interior and current federal chief technology officer at ColorTokens.




