PROCIRCULAR BLOG

Educating your business on the importance of cybersecurity

Russia's FSB is scanning routers this week - Get faster than the bear.

Posted by Aaron R. Warner on Jul 14, 2026 3:23:54 PM
Find me on:

badfaead-bc2e-430f-89b2-69e23165228cIf you run security for a hospital system, a bank, a college, or a manufacturer, a new government advisory deserves ten minutes this week.

On July 13, NSA, CISA, FBI, and DC3, joined by partners across the Five Eyes and Europe, released "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting" (AA26-194A). It documents a decade-plus campaign by Russia's FSB Center 16 against networking devices. The sectors it names as most at risk are financial services, healthcare and public health, energy, communications, the defense industrial base, and government, especially at the state and local levels.

The sector list matters less than the method. These actors aren't burning zero-days. They scan the internet for routers still answering on SNMPv1 or v2 with default or common community strings, then send the device an instruction to copy its own configuration to a file, often named config.bkp or output.txt, and ship it out over TFTP. That file hands them stored credentials and a map of your network. None of it touches an endpoint. The scan doesn't check your industry before it checks your router. A hospital, a bank, a campus, and a plant floor with an aging edge switch all look the same to it.

The fixes are specific and mostly free. Where we'd start:

  1. Know what's exposed. Inventory every internet-facing network device, including the ones installed before your current team arrived. You can't harden a router nobody remembers.
  2. Retire SNMPv1 and v2. Migrate to SNMPv3 with authPriv and disable the older versions. If a device truly can't live without v2, change every community string from default and make them read-only. Default strings are how this campaign gets in. (Many environments don’t actually USE SNMP, shut it off if you can. )
  3. Disable Cisco Smart Install on every device. When SNMP doesn't get them in, these actors fall back upon SMI and known vulnerabilities, such as CVE-2018-0171. NSA has been telling people to turn Smart Install off since 2017.
  4. Block management protocols at the edge. Deny SNMP (UDP 161/162, plus 10161/10162 for v3), TFTP (UDP 69), and SMI (TCP 4786) at your perimeter firewall unless there's a documented reason they're open.
  5. Patch firmware and flag end-of-life gear. The campaign leans on devices that will never see another update. If a router is EOL, put a replacement date on the calendar.

If your team can check all five boxes, you've closed the doors this campaign walks through.

If you can't, or you're not sure what your perimeter is showing the internet right now, ProCircular for an outside look today. We run these sorts of analyses every day, and we'll get you a straight answer in 24 hours.

Topics: Vulnerabilities, Penetration Testing, Monitoring & Detection, Security Advisory

  • There are no suggestions because the search field is empty.

ProCircular is a Full-Service Information Security Firm

We are passionate about helping businesses navigate the complex world of information security, and our blog is another great source of inforamtion. We can assist you no matter where you are in your security maturity journey:

  • Breached or hit with ransomware?
  • Don't know where to start? 
  • Looking to confirm your security with a third party?

Secure your future with ProCircular.

Recent Posts

Subscribe to Email Updates