The National Security Agency (NSA) has issued a joint cybersecurity advisory with the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and 20 allied security partners, warning that Russian government-aligned hackers continue targeting internet routers to compromise business networks and critical infrastructure.
Cyber actors linked to Russia’s Federal Security Service (FSB) have exploited vulnerabilities in poorly configured networking devices to infiltrate networks serving sectors including financial services, energy, healthcare, government, communications, and defense industrial bases. These networks represent critical nodes in the U.S. economic infrastructure.
The advisory emphasizes that attackers employ strategic patience, scanning the internet for outdated or misconfigured routers before extracting configuration files containing administrator credentials, network diagrams, and system access data. Compromised routers allow undetectable reconnaissance, paving the way for subsequent intrusions.
“Poor router hygiene” – including unpatched firmware, default passwords, and enabled remote management interfaces – facilitates initial breaches. Threat actors persistently exploit these basic vulnerabilities despite known mitigation strategies.
Cybersecurity experts have tracked the actors under historical monikers like “Dragonfly,” “Energetic Bear,” and “Ghost Blizzard,” though intelligence classifications vary across security firms. The current campaign builds upon an FBI report documenting Russian network operations targeting infrastructure for over a decade.
Mitigation strategies outlined include: applying firmware updates to patch critical vulnerabilities, implementing multi-factor authentication for administrative access, disabling unused network services, and modernizing outdated security configurations. These measures align with previous FBI advisories and offer cross-sector applicability against multiple threat actors.
The threat’s global reach has prompted coordinated international responses. Participating agencies include security organizations from the United Kingdom, Canada, Australia, New Zealand, and multiple European nations, highlighting the transnational nature of this espionage-driven cyber campaign targeting interconnected network infrastructure.
Joint Technical Alert Resources
Global Cybersecurity Collaboration Framework
Securing Industrial Control Systems Against Network-Side Attacks


