Skip to main content

Russian State-Sponsored Actors Are Still Getting In Through Bad Router Hygiene: Here's What to Check

  • July 14, 2026
  • 0 replies
  • 19 views

chrisnaish
Employee
Forum|alt.badge.img

Some cyberattacks need a zero-day to make headlines. This one didn't. For years, Russian intelligence has simply walked through open doors: default SNMP community strings left unchanged, Cisco's Smart Install left switched on, routers nobody got around to patching. On July 9, 2026, that activity was significant enough to bring eighteen agencies together on a single warning. NSA, CISA, FBI, and DC3 in the United States joined fourteen international partners, including the UK's NCSC, Australia's ACSC, and Canada's Cyber Centre, to co-sign a joint advisory: AA26-194A, "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting." When that many agencies put their names on one document, it's worth reading closely. 

Russian FSB Center 16 actors (tracked in the industry as Berserk Bear, Energetic Bear, Dragonfly, and Static Tundra, among other names) have been opportunistically compromising routers and switches worldwide for over a decade, and they're still finding plenty of them, not through sophisticated exploits but through basic misconfigurations that most organizations assume they've already cleaned up.

 

What's Happening

The advisory builds on last year's FBI PSA on the same activity, adding fresh TTPs. FSB actors scan the internet for devices running SNMP agents that still accept default or common community strings. Using spoofed source IPs and proxy infrastructure to obscure their origin, they send SNMP Set-Requests carrying Object Identifiers (OIDs) that instruct the device to copy its own running configuration to a file (often named something forgettable like config.bkp) and ship it off via TFTP to an actor-controlled server.

No malware drop, no privilege escalation chain. If SNMPv1 or v2 is exposed with a guessable community string, the device essentially mails its own configuration, including any weakly hashed local credentials, straight to the attacker.

When SNMP scanning doesn't pan out, the actors fall back on a short list of known Cisco vulnerabilities and Cisco's Smart Install feature, which has no legitimate use case in modern production networks and has been flagged as a liability since 2017.

 

Who's Being Targeted

The advisory names six critical infrastructure sectors as most at risk: Communications, Defense Industrial Base, Energy, Financial Services, Government Services and Facilities (with specific emphasis on state and local government), and Healthcare and Public Health. But the underlying exposure, internet-reachable management protocols on edge and core network gear, isn't sector-specific. Any organization running Cisco or similar infrastructure with SNMP, TFTP, or Smart Install reachable from outside the network is a candidate.

 

What the Advisory Asks Defenders to Do

Stripped down, the mitigation list is a router hygiene checklist:

  • Disable Cisco Smart Install everywhere. There's no good reason to leave it on.
  • Move to SNMPv3 with authPriv, and disable SNMPv1/v2. If legacy SNMP absolutely must stay on, change every community string off the defaults and restrict to read-only.
  • Use strong, unique local credentials, stored with modern hashing (Cisco type 8, and not types 0, 4, 5, or 7), and centralize authentication with MFA where possible; local accounts should be the exception, not the rule. 

    While the identification of "secret 5" may be surprising to some, it's important to bear in mind that type 5 hashes can be broken with a dictionary attack and/or brute forcing. Because of this, secret 8 hash types are best and should be used as much as possible (at this time, type 9 hashes are not yet NIST-approved for use).

  • Allowlist SNMP OIDs via MIB restrictions and watch for Set-Requests targeting sensitive OIDs like the Cisco Config Copy OID (1.3.6.1.4.1.9.9.96.1.1).
  • Restrict management protocols with ACLs, ideally over an out-of-band network, and block inbound/outbound TFTP (UDP/69), SMI (TCP/4786), SNMP (UDP/161, 162), and SNMPv3 (TCP/UDP 10161, 10162) at the edge unless there's a documented business need.
  • Patch and retire end-of-life gear, and use attack surface management to keep tabs on what's actually internet-facing.

None of this is exotic. It's the same guidance NSA has been publishing since 2023's Network Infrastructure Security Guide. The gap isn't awareness. It's verification. Most network teams believe their management plane is locked down. Far fewer can prove it across every device, every ACL, and every path.

 

How Forward Enterprise Can Help

This advisory is really a network-visibility problem wearing a threat-intelligence hat. Every mitigation on that list boils down to a question about actual, current device state and actual, current reachability: exactly what Forward Enterprise's digital twin is built to answer.

 

1. Find every device where legacy SNMP or Smart Install is still live

Rather than trusting a spreadsheet of "devices that should be hardened," Forward's Network Query Engine (NQE) can inspect the actual running configuration of every device in your network model and flag which ones still have SNMPv1/v2 enabled, which still have Smart Install turned on, and which are using weak local password hashing types. Queries like these give you a fleet-wide list in seconds instead of a device-by-device audit:

 

Smart Install

/**
* @intent Find any Cisco IOS/IOS-XE devices that do not have Smart Install disabled.
* @description This should NOT be enabled for security reasons. Cisco has had this setting disabled by default since 2016.
*/

foreach device in network.devices
where device.platform.os in [OS.IOS, OS.IOS_XE]
let vstackLines = (foreach match in patternMatches(device.files.config, `vstack`)
select match.line.text)
let noVstackLines = (foreach match in patternMatches(device.files.config, `no vstack`)
select match.line.text)
let smartInstallLines = vstackLines - noVstackLines
where length(smartInstallLines) > 0
select {
Device: device.name,
OS: device.platform.os,
"OS Version": device.platform.osVersion,
"Smart Install Config Lines": smartInstallLines
}

  

SNMP

/**
* @intent Find any Cisco IOS/IOS-XE devices that have non-v3 SNMP enabled.
* @description If SNMP use is required, SNMPv3 should always be used for security reasons. This query checks for the presence of SNMP community strings, which are not used in v3.
*/

foreach device in network.devices
where device.platform.os in [OS.IOS, OS.IOS_XE]
let snmpCommunityMatches = patternMatches(device.files.config, `snmp-server community {rest:(string*)}`)
where length(snmpCommunityMatches) > 0
select {
Device: device.name,
OS: device.platform.os,
"OS Version": device.platform.osVersion,
"SNMP Community Lines": (foreach match in snmpCommunityMatches
select match.line.text)
}

 

2. Run a reachability check from the internet to your management protocols

Knowing a protocol is enabled is only half the picture. The advisory's real concern is exposure. Forward's blast radius and path search capabilities let you start from "the internet" as a source and trace every real path, hop by hop, to the ports this advisory calls out: UDP/69 (TFTP), TCP/4786 (SMI), UDP/161-162 (SNMP), and TCP/UDP 10161-10162 (SNMPv3). This is computed against your actual routing tables, ACLs, and firewall rules, not against what the network diagram claims, so you get a definitive answer on whether any of those ports are reachable from outside, and exactly which device and rule allows it if they are.

 

3. Verify management-plane ACLs are actually enforced, continuously

Writing an ACL restricting SNMP to a management subnet is one thing; proving it's live, correctly scoped, and hasn't been quietly bypassed by a routing change six months later is another. Forward Enterprise lets you turn the mitigations in this advisory into standing compliance checks, for example, "no device should accept inbound SNMP from outside the management VLAN," that re-evaluate automatically with an Intent Check every time the network state changes, so drift gets caught before an FSB scanner finds it.

 

4. Hunt for weak password hashing

Using NQE against device configurations, you can search for local accounts on Cisco IOS and IOS-XE devices that are using insecure or less secure Cisco password hash types (types 0, 4, 5, or 7) instead of type 8. This turns a manual credential audit into a repeatable query you can run before and after a remediation push to confirm it actually took.

 

Weak Password Hashing

/**
* @intent Identify any local accounts on Cisco IOS/IOS-XE devices using weaker password hash algorithms (0,4,5,7) instead of Type 8.
* @description Type 8 password hashes should be used on all Cisco IOS/IOS-XE local accounts.
*/

insecurePasswordTypes = [0, 4, 5, 7];

pattern = ```
username {user:string} {(!("password" | "secret") string)*} {"password" | "secret"} {pwdType:number} {string*}
```;

foreach device in network.devices
where device.platform.os in [OS.IOS, OS.IOS_XE]
where isPresent(device.files.config)
foreach match in blockMatches(device.files.config, pattern)
where match.data.pwdType in insecurePasswordTypes
select {
Device: device.name,
OS: device.platform.os,
"OS Version": device.platform.osVersion,
Username: match.data.user,
"Password Type": match.data.pwdType,
"Config Line": match.blocks
}

 

5. Track remediation and prove closure

Once Smart Install is disabled, SNMPv3 is rolled out, and ACLs are tightened, Forward gives you the same digital twin to confirm the exposure is gone, and to set a persistent check that alerts you if a future config change reopens the path.

 

My Take

What stands out about AA26-194A is how little of it is new. FSB Center 16 has been running this same SNMP-scanning playbook for over a decade, and the fixes have been publicly documented for years. The reason it still works isn't that the guidance is unclear. It's that most organizations can't easily answer "is SNMPv1 exposed anywhere on our edge right now?" across a fleet of hundreds or thousands of devices without a lot of manual digging.

That's the gap Forward Enterprise is built to close: turning "we think we hardened our routers" into "we can show you exactly which devices are hardened, which aren't, and which paths from the internet are open right now." If you're working through your response to this advisory and want to talk through how Forward can help you find legacy SNMP, verify Smart Install is off, or validate that your management-plane ACLs actually hold up, feel free to reach out.