Advertisement
Security

Russian State Actors Wage Global Campaign Targeting Network Infrastructure

A coalition of 12 nations has exposed an FSB-led operation scanning global networks for vulnerable router configurations and legacy exploits.

·4 hours ago·2 min read
Close-up of server cooling fans in a vibrant data center.
Photo by Winston Chen on Unsplash
Advertisement

A coordinated international effort has uncovered a sweeping surveillance operation targeting critical network hardware. Security agencies spanning 12 countries are now alerting organizations that a specialized Russian state-sponsored unit is methodically scanning the global internet to identify and compromise routers.

Tactical Exploitation of Network Protocols

The campaign is being orchestrated by FSB Center 16, a threat actor known under various aliases including Dragonfly and Static Tundra. These operators focus on discovering devices that still rely on default or inadequately secured Simple Network Management Protocol (SNMP) credentials. By leveraging weak community strings, attackers can gain unauthorized access to device management functions.

Once access is established, adversaries utilize Object Identifiers to force routers to offload their configuration data via Trivial File Transfer Protocol. These sensitive files are subsequently funneled to servers under the attackers' control. Experts warn that using legacy versions of these protocols, such as SNMPv1 and SNMPv2, invites disaster because they transmit authentication data in plaintext, facilitating easy interception.

Legacy Vulnerabilities and Targeted Strikes

Beyond protocol exploitation, the group maintains a focus on aging infrastructure. The advisory highlights that the threat actors have repeatedly returned to CVE-2018-0171, a seven-year-old vulnerability (CVE-2018-0171) embedded within the Smart Install feature of certain Cisco hardware. While a patch for CVE-2018-0171 has been available since 2018, its presence in unpatched or end-of-life equipment continues to provide an entry point for these state-sponsored incursions.

“This reckless attack failed but could have caused 500,000 citizens to lose electricity in the depths of winter. It is another example of the Russian state’s irresponsible attempts to sow chaos across Europe.”

The Human and Economic Cost

The severity of these operations was underscored by the official attribution of attacks against Polish energy infrastructure in late 2025. In response, international authorities have moved to levy sanctions against 24 entities and individuals connected to these hybrid operations. Additionally, the investigation has linked these actors to the widespread deployment of the Lumma Stealer, a credential-harvesting tool used to facilitate global espionage.

  • 12 countries co-authored the joint security advisory.
  • 24 individuals and entities are targets of new EU and UK sanctions.
  • 2100 victims of Lumma Stealer were identified in the UK within the last six months.

Defensive Posture for Modern Networks

For businesses and critical infrastructure operators, the implications are clear: the barrier to entry for state actors is often found in outdated configurations rather than sophisticated zero-day exploits. The recommendation from global intelligence services is to prioritize the transition to SNMPv3, which incorporates robust encryption and authentication. Failing to harden these perimeter devices leaves the door open to persistent state-level intelligence gathering and disruptive kinetic impacts onsets that threaten public safety and essential service continuity.

#cybersecurity#espionage#infrastructure#sanctions#cisco
← Back to all stories
Advertisement