Russian FSB Center 16 router intrusion campaign
Campaign
Summary
Hide ▲
Show ▼
A Russian FSB Center 16 campaign is targeting vulnerable and poorly configured routers to infiltrate critical infrastructure networks, raising the risk of device takeover and configuration theft. The operation uses SNMP scans, spoofed-source commands, and TFTP exfiltration to copy router configuration files and move them to actor-controlled servers. The activity is broad enough to affect energy, communications, healthcare, financial services, defense, and government targets.
Related Happenings
NSA/FBI/CISA router hardening advisory
Advisory/Mitigation
H score33
First: 13.07.2026 12:32
Last: 13.07.2026 12:32
Sources 1
How related:
The authoring cybersecurity also provided mitigation measures to help network defenders harden their networks against these attacks, urging them to upgrade to SNMPv3, disable Cisco Smart Install, enforce strong unique passwords, block TFTP and SNMP traffic at edge firewalls, update software and firmware, and replace end-of-life devices.
About this happening:
**NSA, FBI, CISA** and 15 allied agencies issued a **joint router hardening advisory** after hackers targeted **vulnerable and poorly configured routers** in **critical infrastruc...
NSA/FBI/CISA router hardening advisory
Advisory/MitigationHow related: The authoring cybersecurity also provided mitigation measures to help network defenders harden their networks against these attacks, urging them to upgrade to SNMPv3, disable Cisco Smart Install, enforce strong unique passwords, block TFTP and SNMP traffic at edge firewalls, update software and firmware, and replace end-of-life devices.
About this happening: **NSA, FBI, CISA** and 15 allied agencies issued a **joint router hardening advisory** after hackers targeted **vulnerable and poorly configured routers** in **critical infrastruc...
Foreign-run botnets relaying traffic through infected Canadian devices
Malware Activity
H score22
First: 22.06.2026 12:11
Last: 22.06.2026 12:11
Sources 1
About this happening:
The public ruling confirms **two foreign-run botnets** used **infected Canadian devices** as traffic relays, a setup that can conceal probing of **critical infrastructure, governm...
Foreign-run botnets relaying traffic through infected Canadian devices
Malware ActivityAbout this happening: The public ruling confirms **two foreign-run botnets** used **infected Canadian devices** as traffic relays, a setup that can conceal probing of **critical infrastructure, governm...
AryStinger legacy-router reconnaissance and proxy network
Malware Activity
H score61
First: 22.06.2026 09:57
Last: 22.06.2026 09:57
Sources 1
About this happening:
The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
AryStinger legacy-router reconnaissance and proxy network
Malware ActivityAbout this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...
Earth Lusca Operation FishMedley espionage campaign
Campaign
H score38
First: 16.06.2026 12:44
Last: 16.06.2026 12:44
Sources 1
About this happening:
A **multi-country espionage campaign** tied to **Earth Lusca / FishMonger** is now linked to **Operation FishMedley**, a **January–October 2022** effort that reached **seven organ...
Earth Lusca Operation FishMedley espionage campaign
CampaignAbout this happening: A **multi-country espionage campaign** tied to **Earth Lusca / FishMonger** is now linked to **Operation FishMedley**, a **January–October 2022** effort that reached **seven organ...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
Timeline
-
13.07.2026 12:32 2 articles · 2h ago
Russian FSB Center 16 targets routers with SNMP scans and TFTP exfiltration
Initial DisclosureNSA, FBI, CISA, and 15 other agencies from allied countries warned that Russian Federal Security Service (FSB) Center 16, tracked as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra, is scanning internet-connected routers that accept default or common SNMP strings, issuing spoofed-IP commands to copy device configuration files, and exfiltrating them via TFTP to actor-controlled servers. The advisory said the activity threatens critical infrastructure networks and urged defenders to upgrade to SNMPv3, disable Cisco Smart Install, enforce strong unique passwords, block TFTP and SNMP at edge firewalls, update software and firmware, and replace end-of-life devices.
Show sources
- US and allies warn of Russian critical infrastructure attacks — www.bleepingcomputer.com — 13.07.2026 12:32
- US and allies warn of Russian critical infrastructure attacks — www.bleepingcomputer.com — 13.07.2026 12:32