Security Intelligence
Loading table of contents...
July 14, 2026 | Security intelligence
At a glance: A newly released multinational advisory warns that Russian FSB Center 16 operators have spent more than a decade targeting internet-facing routers and network devices that use insecure SNMP configurations, particularly default or commonly used community strings. The actors abuse legitimate router management functions to export configuration files containing credentials, VPN settings, network architecture details, and other sensitive information directly from compromised devices. The campaign highlights the ongoing risk posed by legacy network infrastructure and exposed management services, making configuration hardening, SNMP modernization, and monitoring for configuration export activity key defensive priorities.
On July 9, 2026, cybersecurity and intelligence organizations from the United States, Canada, the United Kingdom, Australia, New Zealand, and several European countries released a joint advisory warning that Russian Federal Security Service (FSB) Center 16 operators continue to compromise routers and other networking devices worldwide. The activity, which has spanned more than a decade, primarily targets organizations in the communications, energy, financial services, healthcare, government, and defence sectors that operate critical infrastructure networks and rely on insecure configurations.
Operators linked to FSB Center 16 scan large IP ranges for internet-facing devices running Simple Network Management Protocol version 1 (SNMPv1) or version 2 (SNMPv2) that accept default or commonly used community strings for authentication. The activity is conducted through proxies and uses spoofed IP addresses to obscure the source of the requests.
Once a device is identified, the actors use SNMP Set requests containing Cisco-specific Object Identifiers (OIDs) to trigger the router's built-in configuration export functionality. The advisory identifies OID 1.3.6.1.4.1.9.9.96.1.1 (Cisco Config Copy), which initiates configuration-copy operations, and OID 1.3.6.1.4.1.9.9.96.1.1.1.1.5, which specifies the destination address that will receive the exported configuration file. The router then creates a configuration backup, often named config.bkp or output.txt, and transfers it to attacker-controlled infrastructure using Trivial File Transfer Protocol (TFTP).
The exported configuration files can contain administrative credentials, local account passwords, Virtual Private Network (VPN) settings, SNMP community strings, routing information, network topology details, and device management settings. According to the advisory, exported files are commonly sent to leased virtual private servers (VPSs) or compromised File Transfer Protocol (FTP) servers controlled by the actors.
While SNMP abuse is the primary technique described in the campaign, the advisory also notes previous exploitation of Cisco Smart Install (SMI), web-based network management interfaces, CVE-2018-0171, and CVE-2008-4128 during operations targeting networking infrastructure.
Various Chinese and Russian state-sponsored actors have historically targeted routers to collect credentials, redirect traffic, establish proxy infrastructure, and maintain access to victim environments. The broader focus on routers, network appliances, and edge infrastructure has become increasingly common among state-sponsored actors.
These techniques are effective because they leverage legitimate administrative protocols and built-in device management functions that already exist on the router. After gaining access through SNMP, the actors can use native configuration export features to collect sensitive data directly from the device.
Routers sit at the center of an organization's network and often contain administrative credentials, local account passwords, VPN settings, SNMP community strings, routing information, and network architecture details. By obtaining a router configuration file, an actor can collect information that maps the environment, identifies connected systems, and reveals additional authentication material without compromising endpoints first.
The campaign targets a layer of infrastructure that frequently receives less security monitoring than servers, identity systems, and endpoints. Because the actors are using native management functionality, the activity can resemble legitimate administrative operations.
The campaign primarily targets routers and network devices that expose SNMP services with default or commonly used community strings. The advisory does not provide prevalence statistics, but the fact that FSB Center 16 has continued using the same technique for more than a decade indicates that exposed devices running legacy SNMP configurations remain accessible. These conditions are often found in legacy infrastructure, branch offices, industrial environments, and networks where routers remain in service for many years with minimal configuration changes.
The key takeaway is that this is primarily a configuration and exposure problem. The actors are succeeding by identifying devices that already permit administrative access through SNMP and then using legitimate management features to collect sensitive configuration data.
Recommended actions include:
Additional recommendations include restricting management protocols through access control lists (ACLs), using strong local account credentials, enabling multi-factor authentication (MFA) for centralized administration platforms, and reviewing routers, firewalls, and switches for exposed administrative interfaces and configuration backup mechanisms.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.

