Russian FSB Operation Against Routers and Network Devices: Strategic Access to Critical Infrastructure
14. Juli 2026
Richard Krauss
Key Finding
Western cyber and intelligence authorities warn of an ongoing global operation targeting routers, switches and other network components. The activity is attributed to Russia’s FSB Center 16. The unit combines cross-border signals intelligence with technical network reconnaissance and long-term access operations.
The campaign focuses on devices whose management services are exposed to the internet, whose firmware contains known vulnerabilities or whose administrative protocols lack modern authentication and encryption. The operators extract device configurations, reconstruct internal network structures and establish access for subsequent espionage operations.
The technical core of the operation is an attack chain based on the Simple Network Management Protocol and unsecured file-transfer services. Center 16 searches for devices that respond to known or weak community strings such as “public” and “private.” “Public” is conventionally used for read access. Manipulation of a device configuration requires a write community with modification privileges, frequently using the default value “private.” Through an SNMP Set Request, the target device can be instructed to transfer its configuration to an external TFTP server or a compromised FTP server.
The exfiltrated files may contain internal address ranges, routing relationships, administrator accounts, VPN parameters, additional community strings and information on connected systems. Observed filenames such as “config.bkp” and “output.txt” constitute concrete indicators for log analysis and threat hunting.
No complete list of affected models is available. Exposure depends on the software version, device configuration, enabled services and external accessibility. Within Cisco environments, particular attention should be given to older Catalyst platforms supporting Smart Install and to devices outside the manufacturer’s support lifecycle. Current German home routers have not been identified as specific target models of the operation.
The operation is of elevated relevance to Germany. Explicitly identified target sectors include communications infrastructure, the defence industry, energy, finance, government institutions and healthcare. Additional technical reporting indicates activity against telecommunications companies, universities and manufacturing. Risks to logistics, transport and research arise from the structure of German infrastructure and should be assessed as a national risk inference.
Threat Actor Assessment
FSB Center 16 belongs to the technical and signals-intelligence component of the Russian security apparatus. Describing the FSB solely as a domestic intelligence service does not fully reflect the operational profile of this unit. Center 16 has a cross-border SIGINT and cyber mandate and targets strategically relevant communications and network infrastructure outside Russia.
Government and private-sector reporting use several partially overlapping designations, including Static Tundra, Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly and Ghost Blizzard. These labels derive from different collection methodologies and are not fully congruent. For the current operation, the official attribution to FSB Center 16 is decisive.
Center 16 must be distinguished organisationally and operationally from the cyber formations of Russia’s military intelligence service, the GRU. APT28, associated with Unit 26165, primarily conducts military and political cyberespionage, credential operations and account compromise. Sandworm, associated with Unit 74455, has a more destructive profile and is linked to sabotage, attacks on energy infrastructure and operations against industrial control systems.
Center 16 focuses on intelligence collection, network reconnaissance and durable access. This orientation does not exclude subsequent effects-based operations. Control over a router enables the modification of access rules, redirection of traffic and support for further intrusions. Reconnaissance and operational preparation therefore constitute technically interconnected phases.
Technical Operational Profile
Target acquisition is automated and internet-wide. Scanning activity identifies routers, switches and other network devices with exposed management services, outdated firmware, default credentials or known vulnerabilities. Following initial discovery, systems are prioritised according to operator, sector, network function and strategic value.
Network devices offer substantial operational value to intelligence services. They process central communications relationships, contain detailed configurations and often remain in service for extended periods. In many organisations, they are monitored less intensively than servers or endpoint systems.
SNMP as an Access and Control Channel
SNMPv1 and SNMPv2c use community strings as shared authentication mechanisms. Both versions lack modern cryptographic protection. Known default values and reused identifiers enable automated access attempts.
The community string “public” is conventionally used for read access. Depending on the device configuration, it permits queries for system information, interfaces, IP addresses and routing data. The default value “private” is traditionally associated with write privileges. Successful access through a write community allows the modification of device settings or the execution of administrative actions.
The central operational sequence begins with the identification of a valid community string. The operator then transmits an SNMP Set Request to a device-specific Object Identifier structure. This instructs the network device to copy its running or stored configuration to an external server.
The transfer takes place through TFTP or a compromised FTP server. The operators use both rented virtual servers and previously compromised systems as collection points. Filenames such as “config.bkp” and “output.txt” may indicate corresponding configuration exfiltration.
The configuration file provides a structured view of the target network. It may include local user accounts, encrypted or weakly protected passwords, SNMP strings, VPN configurations, access-control lists, IP address ranges and links to additional locations.
The flow can also be reversed. A compromised device can be instructed to retrieve a prepared configuration file from actor-controlled infrastructure and merge it into the existing configuration. This can create additional user accounts, alter community strings or enable new remote-access services.
Smart Install and CVE-2018-0171
Cisco Smart Install was designed for automated deployment and configuration of switches. The function operates by default over TCP port 4786 and does not include its own authentication mechanism. An active client function exposed to external networks therefore creates an immediately exploitable attack surface.
CVE-2018-0171 affects Cisco devices running a vulnerable version of IOS or IOS XE and operating as Smart Install clients. An unauthenticated attacker can send crafted messages to the Smart Install service. Successful exploitation can trigger a reboot, cause prolonged service disruption or enable arbitrary code execution. Cisco assigns the vulnerability a CVSS score of 9.8.
Affected systems are Smart Install client switches. Devices configured exclusively as Smart Install directors do not fall within the scope of this specific vulnerability. IOS XR and NX-OS are also outside the affected product range.
The vulnerability was patched in 2018. Its continuing operational relevance results from unpatched devices, long replacement cycles and platforms that have reached the end of manufacturer support. It therefore illustrates how known technical weaknesses combine with structural deficiencies in lifecycle management.
TFTP, FTP and Other Management Services
TFTP provides neither modern authentication nor encryption. In the documented attack chain, it is used to transfer configuration files from the target device to actor-controlled infrastructure. Compromised FTP servers may serve as alternative receiving systems.
Telnet transmits credentials and administrative commands in clear text. If the service is enabled through a manipulated configuration, it creates an additional remote-access channel. Comparable risks arise from unencrypted HTTP administration, weakly configured SSH access and shared administrator accounts.
Operational defence must therefore extend beyond remediation of a single vulnerability. The decisive factors are the overall device configuration, accessibility of management services and integration into central logging and monitoring systems.
Affected Devices and Model Series
The international advisory does not contain a definitive list of all exposed products. Technical review is required whenever routers, switches, firewalls, VPN gateways or wireless controllers use legacy management protocols, contain known vulnerabilities or expose management interfaces to the public internet.
Within Cisco environments, this particularly concerns Smart Install-capable variants of the Catalyst 2960, 2960-C, 2960-CX, 2960-L, 2960-P, 2960-S, 2960-SF, 2960-X, 2960-XR, 2975, 3560, 3560-C, 3560-CX, 3560-E, 3560-X, 3650, 3750, 3750-E, 3750-X, 3850 and 4500 series. Official Cisco documentation also identifies certain Catalyst 4900, 6500 and 6800 platforms, as well as Industrial Ethernet series, as Smart Install-capable systems or potential components of corresponding architectures.
Membership in a product family does not establish automatic vulnerability. The decisive factors are the deployed IOS or IOS XE version, Smart Install client status, external accessibility and current patch level.
Older Cisco Integrated Services Routers could be used as directors in Smart Install architectures. That role does not automatically fall within CVE-2018-0171. Other vulnerabilities, insecure protocols or configuration deficiencies remain independently relevant.
End-of-life systems require particular priority. The absence of manufacturer support prevents the sustainable remediation of newly discovered vulnerabilities. Access-control lists and additional network filters reduce exposure but do not replace corrected software or a binding hardware-replacement programme.
The advisory does not identify specific models from AVM, Deutsche Telekom, Vodafone, ASUS, TP-Link, Netgear, D-Link, Zyxel, MikroTik or Ubiquiti as part of the current Center 16 campaign. There is therefore no model-specific evidence that current FRITZ!Box, Speedport or Vodafone systems in standard home configurations form part of this operation.
SOHO and home routers remain generally exposed where firmware updates are absent, remote administration is enabled or manufacturer support has ended. Compromised devices can serve as proxy, relay or command-and-control infrastructure. This general threat must be distinguished from the specifically documented FSB operation.
Operational Effects
The exfiltration of a router or switch configuration can provide a comprehensive technical picture of the target network. Internal address ranges, routing rules, VPN links and local accounts enable the identification of further attack paths.
Following initial compromise, native device commands can be used to reconnoitre adjacent systems. This enables the identification of additional routers, switches, management servers and network segments without triggering broad internal scanning activity.
For durable access, operators can create additional user accounts, alter community strings and enable new remote-access services. Historical Static Tundra activity also includes the use of SYNful Knock, an implant for modified Cisco IOS images. Such access can survive reboots and may evade conventional endpoint-security products.
Further observed techniques include GRE tunnelling and the collection of NetFlow data. GRE tunnels enable the covert forwarding of selected network traffic. NetFlow provides metadata on communications relationships, data volumes and participating systems. Both techniques increase the intelligence value of a compromised network device.
The operation therefore pursues three interconnected objectives: acquisition of technical information, establishment of long-term access and provision of covert infrastructure for subsequent activity.
Target Sectors and Relevance to Germany
The international advisory identifies communications infrastructure, the defence industry, energy, finance, government institutions and healthcare as particularly relevant target sectors. Additional technical reporting indicates activity against telecommunications companies, universities and manufacturing.
For Germany, this creates elevated exposure for strategically relevant organisations. The Federal Republic is a major industrial and communications centre, a supporter of Ukraine and a central NATO logistics hub. Government institutions, energy suppliers, telecommunications operators, universities, manufacturing companies and defence-sector firms therefore constitute plausible target categories.
Logistics, transport and research should be included as national risk inferences. These sectors are closely connected to communications, energy and supply-chain infrastructure. They were not, however, identified in the international warning in the same form as confirmed priority sectors.
Exposure is increased by historically developed networks, long device lifecycles and outsourced administration. Undocumented management access, shared service-provider accounts and incomplete device inventories facilitate long-term persistence.
Germany and German security authorities are not listed among the signatories to the published advisory. This does not indicate lower national exposure. No authoritative public explanation for the absence of a German signature is available. Claims concerning internal approval procedures, legal mandates or inter-agency coordination would therefore remain speculative.
Overlap With Chinese Operational Methods
The use of compromised routers for strategic reconnaissance and durable access is not exclusive to Russian actors. Comparable methods are attributed to Chinese threat groups, including the cluster known as Salt Typhoon.
The overlap includes manipulation of router configurations, abuse of privileged access and collection of strategically relevant communications data. Individual technical methods therefore have limited attribution value.
The attribution to FSB Center 16 rests on the combined assessment of infrastructure, target selection, historical activity patterns, tools and government intelligence. Technical similarities with Chinese operations do not weaken the current attribution, but they underline the need for a broad and methodologically disciplined assessment.
Smartphones as an Additional Attack Surface
Smartphones are not identified as a primary vector in the current warning. They nevertheless form an additional attack surface when they store router credentials, VPN profiles or administrative session tokens.
A compromised mobile device can map internal networks and identify accessible management interfaces. The risk is particularly relevant for administrators and technical leadership whose devices combine privileged access to cloud, VPN and management systems.
Bring-your-own-device arrangements increase exposure when privately owned devices without central management connect to corporate wireless networks, cloud platforms or VPN systems. Mobile devices must therefore be incorporated into the wider security architecture, while remaining secondary to the documented router and switch campaign.
Defensive Measures
Defence begins with a complete and current device inventory. Manufacturer, model, serial number, software version, support status, function and management access must be documented for every router, switch, VPN gateway and wireless controller. Unrecorded devices require the highest review priority.
Management interfaces must be separated from the public internet. Administrative access should occur through dedicated management networks, controlled jump hosts or secured VPN connections. Access-control lists should restrict authorised source systems and reduce external exposure.
SNMPv1 and SNMPv2c should be replaced with SNMPv3 using authentication and encryption. Read-write community strings must be eliminated. Reuse of identical community strings across multiple devices or sites must be prevented because a single compromise would otherwise create a substantially wider area of effect.
Smart Install should be disabled unless an operational requirement exists. On supported Cisco systems, this is implemented, depending on platform and software version, using the command “no vstack.” TCP port 4786 must not be reachable from untrusted networks. Vulnerable systems require a corrected IOS or IOS XE release.
TFTP and Telnet should be disabled or limited to a tightly controlled administrative zone. Configuration and image transfers should use encrypted protocols. SSH access must be user-specific, logged and protected by strong authentication.
End-of-life devices require a binding replacement plan. Additional firewall controls can secure a transitional phase but do not constitute a permanent substitute for manufacturer updates.
Security monitoring must detect unusual SNMP Set Requests, configuration-copy operations, TFTP and FTP transfers, newly created local users, altered community strings and changes to access-control lists. Filenames such as “config.bkp” and “output.txt” should be included as potential indicators in log analysis. Their presence alone does not prove compromise but justifies technical examination of the transfer context.
Further indicators include newly exposed management ports, unexpected GRE tunnels, unusual NetFlow configurations and gaps in Syslog or AAA records. Regular automated comparison between approved baseline configurations and actual device states enables early detection of concealed modifications.
Privileged smartphones require central device management, current operating-system versions and separation between user and management networks. Routers and firewalls should not be administered from private or unmanaged mobile devices.
Response to Confirmed Compromise
Changing the administrator password alone is insufficient when a network device has been compromised. Additional accounts, altered SNMP strings, manipulated configurations and modified firmware may persist.
The affected system must be isolated and preserved for forensic examination. Before restoration, configurations, logs, active connections and available memory information must be captured.
The operating system, bootloader and firmware must be reinstalled from a verified manufacturer source. Depending on the nature and depth of compromise, Cisco devices may require reinstallation of IOS or IOS XE and ROMMON.
All credentials, keys and certificates stored on the device must be treated as potentially compromised. Replacement must also cover connected VPN systems, central authentication services and external service-provider access.
The investigation must extend to neighbouring network devices and management systems. Exfiltration of a configuration file may have exposed additional credentials even where no direct lateral movement can be demonstrated.
Overall Assessment
The operation does not rely on a fundamentally new attack method. Its effectiveness results from the combination of known vulnerabilities, inadequate lifecycle management and weak monitoring of network devices.
The threat probability is high for critical infrastructure operators and strategically relevant organisations. The greatest exposure exists where end-of-life systems, SNMPv1 or SNMPv2c, Smart Install and publicly accessible management services remain in use.
The immediate objective is the acquisition of configurations and the establishment of durable access. These footholds provide a credible basis for espionage, traffic monitoring and further cyber operations.
Effective defence requires routers, switches and firewalls to be treated as critical server-class systems. Complete asset inventory, binding patch management, network segmentation, central logging and controlled administrative access constitute the minimum required standard.
Glossary
AAA
A framework for authenticating users, authorising access and accounting for administrative activity.
ACL
An access-control list used to permit or block defined network connections.
APT28
A Russian cyber actor associated with GRU Unit 26165 and focused on military and political cyberespionage.
Center 16
A technical and signals-intelligence unit of the FSB with a cross-border cyber and SIGINT mandate.
Command and Control
Infrastructure used to manage compromised systems and transmit commands or collected data.
Community String
A shared authentication value used by older versions of SNMP.
CVE
An internationally standardised identifier for a publicly documented security vulnerability.
CVSS
A scoring system used to assess the technical severity of a vulnerability.
Edge Device
A network component positioned at the boundary between internal and external networks.
End of Life
The point at which a product is no longer supported by its manufacturer.
FTP
A file-transfer protocol that, in its traditional form, does not encrypt credentials or transferred content.
GRE Tunnel
An encapsulation method used to transport network traffic between separate endpoints.
IOS
A Cisco operating system used on various router and switch platforms.
IOS XE
A modular Cisco network operating system.
IOS XR
A Cisco operating system designed for carrier-grade and high-performance routers.
Jump Host
A controlled administrative system used to access protected management networks.
Critical Infrastructure
Infrastructure whose failure would significantly affect the state, economy or population.
NetFlow
A method for collecting metadata about network communications.
NX-OS
A Cisco operating system used on Nexus and data-centre platforms.
Object Identifier
A numerical identifier for an SNMP-managed object or device function.
Pre-Positioning
The establishment of technical access before possible later operational use.
ROMMON
Cisco’s boot monitor used for device startup, diagnostics and recovery.
Salt Typhoon
A designation for a China-linked cyber cluster focused on telecommunications and network access.
Smart Install
A Cisco function used for automated deployment and configuration of network devices.
SNMP
A protocol used to monitor and manage network devices.
SNMP Set Request
An SNMP request used to modify a value or trigger a device function.
SNMPv1 and SNMPv2c
Legacy SNMP versions without modern cryptographic protection.
SNMPv3
An SNMP version supporting authentication, integrity protection and encryption.
SOHO Router
A router designed for home users and small businesses.
SYNful Knock
A historical implant used in modified Cisco IOS images.
TFTP
A basic file-transfer protocol without modern authentication or encryption.
Threat Hunting
The proactive search for technical signs of an existing or ongoing compromise.
VPN Gateway
A network component used to establish and control encrypted connections.
References
Cybersecurity and Infrastructure Security Agency
Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting, AA26-194A
13 July 2026
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a
UK National Cyber Security Centre
UK and Allies Urge Critical Sectors to Improve Defences Against Russian Intelligence Targeting
13 July 2026
https://www.ncsc.gov.uk/news/uk-and-allies-urge-critical-sectors-to-improve-defences-against-russian-intelligence-targeting
Cisco
Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability, CVE-2018-0171
28 March 2018, last updated 20 August 2025
https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-smi2.html
Cisco
Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature
9 April 2018
https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180409-smi.html
Cisco
Smart Install Configuration Guide – Supported Devices
29 June 2014 https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/supported_devices.html
Cisco Talos
Russian State-Sponsored Espionage Group Static Tundra Compromises Unpatched End-of-Life Network Devices
20 August 2025
https://blog.talosintelligence.com/static-tundra/
Cybersecurity and Infrastructure Security Agency
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System, AA25-239A
27 August 2025, revised 3 September 2025
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
