Back to Blog
    router-security
    cybersecurity
    network-security

    Russian State-Sponsored Hackers Are Targeting Routers: What Businesses Should Do Now

    Dustin CollettJuly 13, 2026

    Your router and firewall sit at the edge of your business network. They are supposed to keep unwanted traffic out, but a poorly configured or outdated device can become the very doorway an attacker uses to get in.

    A new joint cybersecurity advisory from the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and international partners warns that Russian Federal Security Service (FSB) Center 16 actors continue to target vulnerable and poorly configured networking devices worldwide.

    The good news is that the recommended defenses are practical. Most come down to basic router hygiene: secure management protocols, strong credentials, current firmware, and tighter control over what can reach the device.

    Why Routers Are an Attractive Target

    Routers, firewalls, and switches are high-value targets because they sit in a trusted position inside the network. If an attacker compromises one, they may be able to observe traffic, steal configuration files, collect credentials, create a foothold, or use the device as a stepping stone toward other systems.

    Unlike a typical workstation, network appliances may receive less routine attention. They often stay in service for years, use local administrator accounts, and run management services that were enabled long ago and never reviewed.

    The advisory specifically identifies organizations in communications, defense, energy, financial services, government, and healthcare as being at elevated risk. However, the same weaknesses exist in ordinary small and midsize businesses. An attacker scanning the internet does not need to know your company name. They only need to find a device that responds.

    How the Attack Works

    The activity described in the advisory is largely opportunistic. The attackers scan internet address ranges looking for routers and other networking devices that expose Simple Network Management Protocol (SNMP) services.

    SNMP is commonly used to monitor network equipment. Older versions—SNMPv1 and SNMPv2—rely on shared passwords called community strings. Default or commonly used community strings can give an attacker access when the service is exposed or poorly restricted.

    The reported attack path is straightforward:

    1. The actor scans for devices that respond to SNMP.
    2. The actor attempts access using default or common community strings.
    3. A malicious SNMP request instructs the device to copy its configuration.
    4. The configuration file is transferred to infrastructure controlled by the attacker, often through Trivial File Transfer Protocol (TFTP).
    5. The attacker reviews the configuration for credentials, network details, and additional opportunities.

    The advisory also notes the use of known Cisco vulnerabilities and misuse of Cisco Smart Install. Two vulnerabilities specifically referenced are CVE-2018-0171 and CVE-2008-4128.

    This is not limited to one threat group. The same weaknesses can be used by criminal groups, other nation-state actors, and automated botnets.

    1. Replace Legacy SNMP With SNMPv3

    Organizations should disable SNMPv1 and SNMPv2 wherever possible and use SNMPv3 with authentication and encryption.

    SNMPv3 improves security by supporting:

    • Strong authentication
    • Encrypted management traffic
    • Individual user credentials instead of shared community strings
    • Better control over what each account can access

    Where an older device or monitoring platform still requires SNMPv1 or SNMPv2, treat that as a temporary exception. Change all default community strings, permit read-only access, and restrict the service so it can only be reached from authorized management systems.

    SNMP should generally not be reachable directly from the public internet.

    2. Restrict Management Access

    A router's management interface should only be available from trusted administrative systems or a dedicated management network.

    Use firewall rules and Access Control Lists (ACLs) to limit management protocols by source address. Remote administration should occur through a secure virtual private network (VPN), privileged access workstation, or other controlled path rather than an unrestricted public management portal.

    The advisory recommends blocking external access to the following ports unless there is a documented business need:

    • UDP 69 for TFTP
    • TCP 4786 for Cisco Smart Install
    • UDP 161 and 162 for SNMP
    • TCP/UDP 10161 and 10162 for SNMPv3

    Blocking these ports does not replace proper device configuration, but it reduces the number of systems that can reach the exposed service.

    3. Disable Cisco Smart Install

    Cisco Smart Install was designed to simplify initial switch deployment, but it can create serious risk when left enabled.

    Organizations using Cisco equipment should verify whether Smart Install is active and disable it after initial provisioning. The NSA has published separate guidance on Cisco Smart Install protocol misuse.

    This is also a good reminder to review other convenience features on routers and switches. Services enabled during installation should not remain active unless they are still required.

    4. Strengthen Router Credentials

    Network device credentials deserve the same protection as domain administrator or cloud administrator accounts.

    At a minimum:

    • Use long, unique passwords for every device.
    • Do not reuse router credentials across clients, offices, or locations.
    • Store credentials in an approved password manager.
    • Use centralized authentication when supported.
    • Require Multi-Factor Authentication (MFA) for administrative access where feasible.
    • Monitor for logins using local emergency accounts.

    For Cisco devices, the advisory recommends using Type 8 password hashing for user credentials and avoiding Types 0, 4, and 7 because they are insecure or may expose passwords in recoverable form. The NSA provides additional detail in its Cisco password types best practices.

    5. Patch Firmware and Replace End-of-Life Devices

    A secure configuration cannot compensate for unsupported firmware indefinitely.

    Every business should maintain an inventory of routers, firewalls, switches, wireless controllers, and other network appliances. That inventory should include:

    • Manufacturer and model
    • Current firmware version
    • Support status
    • Management address
    • Internet exposure
    • Responsible administrator
    • Last configuration review
    • Last successful backup

    Apply security updates promptly, especially when a vulnerability affects an internet-facing device. Equipment that no longer receives vendor updates should be scheduled for replacement.

    End-of-life devices are not merely old hardware. They are devices with known weaknesses that may never be corrected.

    6. Monitor for Signs of Abuse

    Hardening is the first priority, but monitoring can reveal attempted or successful exploitation.

    Network defenders should watch for:

    • Unexpected SNMP Set-Requests
    • Configuration export activity
    • TFTP or FTP transfers involving network devices
    • New or oddly named local administrator accounts
    • Logins from unusual source addresses
    • Changes to ACLs, routes, DNS settings, or management services
    • Configuration files named config.bkp, output.txt, or similar
    • Outbound connections from routers to unfamiliar external servers

    Logging should be sent to a centralized Security Information and Event Management (SIEM) platform or monitoring service. Logs stored only on the device may be lost or altered during an incident.

    CISA also offers no-cost Cyber Hygiene services for eligible U.S. organizations, including vulnerability scanning of internet-facing systems.

    A Practical Router Security Checklist

    Business owners and IT teams can use this short checklist to begin reducing exposure:

    • Confirm no router or switch uses default credentials.
    • Disable internet-facing administration wherever possible.
    • Disable SNMPv1 and SNMPv2.
    • Configure SNMPv3 with authentication and encryption.
    • Restrict management access with ACLs.
    • Disable Cisco Smart Install.
    • Block unnecessary TFTP, SNMP, and Smart Install traffic at the edge.
    • Update firmware and document the current version.
    • Replace unsupported network equipment.
    • Back up device configurations securely.
    • Send device logs to centralized monitoring.
    • Review local accounts and remove anything unexpected.

    These controls are not specific to Russian state-sponsored activity. They reduce risk from a broad range of attackers using the same techniques.

    Make Router Security Part of Routine IT Management

    The central lesson is simple: routers and firewalls cannot be treated as appliances that are installed once and forgotten.

    They require the same lifecycle management as servers and workstations—secure configuration, patching, credential control, monitoring, and eventual replacement. A brief review today may identify an exposed management service or obsolete device before an attacker does.

    Collett Systems helps Wisconsin businesses assess, secure, and monitor the network infrastructure that keeps their operations running. To schedule a network security review, contact our team or learn more about our managed IT and cybersecurity services.