The Federal Bureau of Investigation (FBI) has issued a warning about Russian cyber actors targeting networking devices and critical infrastructure in the United States and globally.
Why it matters: These cyber threats pose significant risks to the security and stability of critical infrastructure sectors, potentially disrupting essential services and causing economic and societal impact.
The details:
- Russian FSB cyber actors, known as “Berserk Bear” and “Dragonfly,” have been exploiting vulnerabilities in networking devices, particularly targeting the Simple Network Management Protocol (SNMP) and older, unpatched devices.
- The actors are leveraging a specific vulnerability (CVE-2018-0171) in Cisco Smart Install to compromise thousands of networking devices associated with critical infrastructure sectors.
- The cyber actors collect configuration files from these devices and modify them to enable unauthorized access, which is then used to conduct reconnaissance within victim networks.
- Their interest includes protocols and applications associated with industrial control systems.
The FSB Center 16 unit has been active for over a decade and is notorious for compromising networking devices using legacy, unencrypted protocols and deploying custom tools like the “SYNful Knock” malware.
Previous alerts and guidance:
- The FBI and law enforcement partners have previously released relevant guidance in the Technical Alert (April 20, 2018) and Joint Advisory (May 6, 2025).
- Cisco Talos has also published an analysis identifying this threat actor as “Static Tundra” on August 20, 2025.
Recommended actions: If you suspect you have been targeted or compromised by this Russian FSB cyber intrusion:
- Evaluate your router and other networking devices for any configuration changes or malware.
- Report any suspicious activity to the appropriate authorities.
Staying vigilant and promptly addressing any signs of compromise can help mitigate the risks posed by these advanced cyber threats.