The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and agencies from 12 allied nations released a joint advisory July 13 warning that Russia’s Federal Security Service (FSB) Center 16 is exploiting poorly configured routers and networking devices to breach critical infrastructure networks worldwide.
Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, targeting devices across critical infrastructure sectors. These vulnerabilities can give hostile actors access to the systems that… pic.twitter.com/K5Po1v87Fu
— FBI Phoenix (@FBIPhoenix) July 14, 2026
The advisory attributes the campaign to FSB Center 16, also tracked as Berserk Bear, Ghost Blizzard, and Static Tundra. “This is an ongoing issue that has impacted various U.S. and foreign networks across multiple sectors, including the defense industrial base, communications, energy, financial services, government facilities and health care sectors,” the NSA stated.
The group scans internet-accessible routers for default Simple Network Management Protocol (SNMP) community strings, a protocol used to manage network devices, and also exploits Cisco Smart Install, a legacy unauthenticated configuration feature in network switches.
The FSB advisory follows a separate April 7, 2026 warning from the FBI, NSA, and 15 partner nations attributing a network of compromised small office and home office (SOHO) routers to Russian military intelligence, the General Staff Main Intelligence Directorate (GRU).
The GRU carried out Domain Name System (DNS) hijacking against military and government targets before the Department of Justice disrupted the network. The July advisory covers a distinct FSB operation, showing Russia’s FSB and GRU running independent router campaigns against overlapping targets.
The July 13 advisory coincided with the United Kingdom and European Union’s first joint cyber sanctions package, targeting 24 individuals and entities linked to Russian cyber operations
The UK’s Foreign, Commonwealth and Development Office (FCDO) simultaneously attributed the December 2025 cyberattack on Poland’s power grid to FSB Center 16, calling it “another example of the Russian state’s irresponsible attempts to sow chaos across Europe.”
The attackers attempted to deploy DynoWiper malware to sabotage the grid, an operation that officials warn could have cut heat and power to up to 500,000 consumers if it had succeeded.







