FSB Center 16 Exploits Poorly Configured Routers in Critical Infrastructure
A joint cybersecurity advisory from multiple international agencies warns of ongoing exploitation by the Russian Federal Security Service (FSB) Center 16. These state-sponsored cyber actors are targeting poorly configured networking devices, particularly routers, across critical infrastructure sectors globally. The advisory details tactics, techniques, and procedures (TTPs) and urges immediate mitigation actions.
# Russian FSB Center 16 Targets Vulnerable Routers in Critical Sectors
**Washington D.C.** β A coalition of international cybersecurity agencies has issued a stark warning regarding persistent cyber activity by the **Russian Federal Security Service (FSB) Center 16**. These government-sponsored actors are leveraging poorly configured and vulnerable networking devices to compromise critical infrastructure networks worldwide.
This joint Cybersecurity Advisory (CSA) builds upon a previous **FBI** Public Service Announcement, providing enhanced details on the tactics, techniques, and procedures (TTPs) employed by **FSB Center 16** to aid defenders in countering the threat.
## A Unified Front Against State-Sponsored Hacking
The CSA is a collaborative effort by a broad consortium of cybersecurity and intelligence agencies, underscoring the international concern over this activity. Participating agencies include:
* **United States National Security Agency (NSA)**
* **United States Cybersecurity and Infrastructure Security Agency (CISA)**
* **United States Federal Bureau of Investigation (FBI)**
* **United States Department of Defense Cyber Crime Center (DC3)**
* **Australian Signals Directorateβs Australian Cyber Security Centre (ASDβs ACSC)**
* **Communications Security Establishment Canadaβs (CSEβs) Canadian Centre for Cyber Security (Cyber Centre)**
* **New Zealand National Cyber Security Centre (NCSC-NZ)**
* **United Kingdom National Cyber Security Centre (NCSC-UK)**
* **Czech Republic National Cyber and Information Security Agency (NΓKIB)**
* **Danish Defence Intelligence Service (DDIS)**
* **Estonian Foreign Intelligence Service (EFIS)**
* **Estonian Information System Authority (RIA)**
* **Finnish Defence Intelligence (FDI)**
* **Finnish Security and Intelligence Service (SUPO)**
* **French National Cybersecurity Agency (ANSSI)**
* **Italian External Intelligence and Security Agency (AISE)**
* **Italian Internal Intelligence and Security Agency (AISI)**
* **The Military Counterintelligence Service of Poland (SKW)**
* **Sweden National Cyber Security Centre (NCSC-SE)**
These agencies collectively urge network owners and defenders to implement immediate mitigation and remediation measures against the exploitation of vulnerable routers by Russian government-sponsored entities.

*Figure 1: FSB Center 16 activity and recommended mitigation actions*
## Industry Tracking and Threat Group Aliases
Within the cybersecurity industry, various threat group names are associated with activity overlapping with **FSB Center 16**. Notable aliases include:
* **Berserk Bear**
* **Energetic Bear**
* **Crouching Yeti**
* **Dragonfly**
* **Ghost Blizzard**
* **Static Tundra**
It's important to note that tracking methods and attribution can vary across cybersecurity companies, meaning these names may not always have a direct one-to-one correlation with the authoring agencies' understanding of all related activities.
## Critical Infrastructure at Risk
The **FSB Center 16** cyber actors are primarily targeting critical infrastructure sectors, including:
* Communications
* Defense Industrial Base
* Energy
* Financial Services
* Government Services and Facilities (especially state and local levels)
* Healthcare and Public Health
## Technical Details of Exploitation
The primary method of exploitation involves scanning for poorly configured networking devices, particularly routers. The actors specifically look for **Simple Network Management Protocol (SNMP)** agents with active **SNMPv1** or **SNMPv2c** agents that accept common or default community strings for authentication. These scans are often run via proxies using spoofed IP addresses.
Once identified, **FSB Center 16** sends **SNMP Set-Requests** with specific **Object Identifiers (OIDs)**. These OIDs instruct the vulnerable **SNMP** agent to:
* Copy its configuration to a file (e.g., "config.bkp" or "output.txt").
* Transfer this configuration file, typically via **Trivial File Transfer Protocol (TFTP)**, to an actor-controlled virtual private server (VPS) or compromised **FTP** server.
While **SNMP** scanning is prevalent, the actors also exploit known vulnerabilities in **Cisco** devices, including **Ciscoβs Smart Install (SMI)** functionality, and web portals used for network device management. Previously exploited vulnerabilities include:
* **CVE-2018-0171**
* **CVE-2008-4128**
These TTPs can overlap with those of other malicious actors, such as **Salt Typhoon**. The recommended mitigations are designed to counter these and similar TTPs, regardless of the specific threat actor.
## Essential Mitigation Actions
The authoring agencies strongly recommend that network defenders implement the following measures to harden networks against this exploitation:
* **Disable Cisco Smart Install:** Ensure **Cisco Smart Install** is disabled on all devices.
* **Upgrade to SNMPv3:** Transition from **SNMPv1** or **SNMPv2** to **SNMPv3** with "authPriv" configured to the strongest encryption standard supported by the device. If **SNMPv1** or **SNMPv2** remain necessary, change all default community strings and restrict access to read-only.
* **Strong, Unique Passwords:** Implement strong, unique passwords for local accounts on all network devices and ensure credentials are stored securely to prevent reuse of compromised passwords.
Implementing these mitigations is crucial for protecting critical infrastructure from the persistent threat posed by **FSB Center 16** and other sophisticated cyber adversaries.