Why it matters: Russia’s cyber operations do not always begin with sophisticated malware. Often, they begin with exposed routers, outdated firmware, default passwords and network management protocols left open.
- That is the message behind a new joint Cybersecurity Advisory led by the U.S. National Security Agency, titled Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting.
- The document warns that cyber actors linked to the Russian Federal Security Service’s Center 16 continue to exploit vulnerable and poorly configured networking devices across the world, including in critical infrastructure sectors.
The details. The advisory was released by the NSA together with CISA, the FBI, the U.S. Department of Defense Cyber Crime Center and a broad group of allied agencies, including the United Kingdom’s NCSC, France’s ANSSI, Canada’s Cyber Centre, Australia’s ASD, New Zealand’s NCSC and several European intelligence and cyber bodies.
- Italy is also listed among the co-sealing partners through AISE and AISI.
- The sectors most at risk, according to the advisory, include communications, the defense industrial base, energy, financial services, government facilities and healthcare. CISA published the same guidance under alert code AA26-194A on July 13, 2026.
- The Russian actors’ method is relatively straightforward. They scan internet-facing networks to find routers and other devices with active SNMP agents, especially those still using default or common community strings.
- Once inside, they can pull configuration files, collect credentials and move the data to infrastructure under their control. In some cases, the advisory says, the actors have also exploited Cisco Smart Install and known vulnerabilities affecting Cisco devices.
The bigger picture. The alert builds on an FBI warning issued in 2025, which said Russian cyber actors attributed to FSB Center 16 were targeting networking devices and critical infrastructure in the United States and globally.
- The FBI alert specifically pointed to SNMP abuse and end-of-life devices as part of the threat pattern.
- The new advisory frames the activity as part of a decade-plus pattern linked to FSB Center 16. Cybersecurity companies track overlapping activity under several names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.
- However, the agencies caution that private-sector naming does not always map perfectly onto government attribution.
The mitigation. The recommendations are technical, but the political message is clear: many state-sponsored intrusions can be made harder by closing basic gaps.
- The agencies urge network defenders to implement SNMPv3, disable SNMPv1 and SNMPv2, use strong and unique passwords, disable Cisco Smart Install, block TFTP, SMI and SNMP at the firewall where they are not needed, and update software and firmware to patch known vulnerabilities.
- None of this is glamorous. But that is precisely the point. Moscow does not need to break through hardened systems if it can enter through neglected ones.
The Italy angle. The presence of AISE and AISI among the co-signatories matters. It shows that the threat is being treated not only as an American or Five Eyes concern, but as a Euro-Atlantic security issue involving European intelligence services directly.
- For Italy, the advisory lands in a sensitive context: government networks, energy infrastructure, telecommunications, defense suppliers and healthcare systems are all part of the same strategic surface. Protecting them is no longer just an IT task. It is a matter of national resilience.
- The warning comes as Italian prosecutors investigate an alleged Russian espionage operation that included the monitoring of a Navy exercise involving an underwater drone off La Spezia, one of Italy’s key hubs for naval and underwater capabilities.
The strategic view. The warning from NSA and its partners is not about a single vulnerability. It is about a Russian playbook: identify neglected devices, exploit weak configurations, collect access and prepare the ground for espionage or disruption.
- In cyber defense, hygiene is deterrence. And for Moscow’s operators, an unpatched router can still be an open door.



