CISA warns: Russian FSB hackers targeting home and office routers
Original: The US government warns that Russia state hackers are coming after your router
Why This Matters
State-sponsored router botnets pose an escalating, hard-to-counter threat to global critical infrastructure security.
CISA and allied governments issued a joint advisory on July 13, 2026, warning that Russia's FSB Center 16 hackers are mass-compromising home and small office routers worldwide to build residential proxy botnets for attacks on critical infrastructure sectors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), joined by Australia, Denmark, New Zealand, and the UK, issued a joint advisory warning that Russian Federal Security Service (FSB) Center 16 cyber actors — tracked under names including Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard, and Static Tundra — are systematically compromising routers globally. The attackers exploit poorly configured devices by scanning IP ranges for active Simple Network Management Protocol (SNMP) agents that accept default or common credentials. Using spoofed IP addresses, they deploy malware via vulnerable SNMP agents to enroll routers into botnets. Compromised devices are then used as exit nodes to probe or attack targets in the communications, defense, energy, financial services, and government sectors. Routing malicious traffic through residential IPs helps the attackers evade firewalls and security defenses. CISA emphasized that SNMP versions 1 and 2 should be disabled immediately, as they lack password encryption and other basic security protections. The advisory noted that both Russia and China have engaged in router-compromising campaigns for years, sometimes competing to control the same devices. Past government countermeasures and botnet disruptions have proven temporary, as operators simply rebuild new botnets.