The Federal Bureau of Investigation has issued an urgent warning about sophisticated cyber operations conducted by Russian intelligence operatives who are actively compromising critical infrastructure networks across the United States and internationally.
The threat actors, attributed to the Russian Federal Security Service’s (FSB) Center 16, have been exploiting vulnerabilities in networking equipment to gain unauthorized access to sensitive systems.
Massive Network Device Compromise Campaign
FBI investigators have detected Russian FSB cyber actors systematically exploiting Simple Network Management Protocol (SNMP) and targeting end-of-life networking devices through an unpatched vulnerability tracked as CVE-2018-0171 in Cisco Smart Install (SMI).
This vulnerability has provided the attackers with a pathway to compromise entities across multiple sectors broadly.
The scope of the operation is extensive, with FBI analysis revealing that the actors have collected configuration files from thousands of networking devices associated with US entities spanning critical infrastructure sectors.
Beyond simple data collection, the threat actors have demonstrated advanced capabilities by modifying configuration files on vulnerable devices to establish persistent unauthorized access.
This access has enabled them to conduct detailed reconnaissance of victim networks, with particular focus on protocols and applications commonly associated with industrial control systems.
Decade-Long Threat Actor with Known Aliases
The FSB Center 16 unit orchestrating these attacks operates under several aliases familiar to cybersecurity professionals, including “Berserk Bear” and “Dragonfly,” which represent separate but interconnected cyber activity clusters.
This threat group has maintained persistent operations for over a decade, consistently targeting networking devices worldwide with a particular focus on equipment that accepts legacy unencrypted protocols such as SMI and SNMP versions 1 and 2.
The group’s sophisticated capabilities extend beyond the exploitation of existing vulnerabilities.
They have developed and deployed custom malware tools designed explicitly for specific Cisco devices, including the publicly documented “SYNful Knock” malware that was first identified in 2015, demonstrating their long-term investment in network infrastructure targeting.
Coordinated Response and Reporting Guidelines
The FBI’s latest warning builds upon previous collaborative efforts with law enforcement partners and industry stakeholders.
Relevant guidance remains available through a Technical Alert released on April 20, 2018, titled “Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices,” and a Joint Advisory from May 6, 2025, focusing on “Primary Mitigations to Reduce Cyber Threats to Operational Technology.”
Additionally, Cisco Talos published a complementary analysis on August 20, 2025, identifying this threat actor as “Static Tundra.”
Organizations suspecting compromise should immediately evaluate their router and networking devices for unauthorized configuration changes or malware installation before reporting incidents to local FBI field offices or filing detailed reports through the FBI’s Internet Crime Complaint Center (IC3).
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Russian hackers - The Federal Bureau of Investigation has issued an urgent warning about sophisticated cyber operations conducted by Russian.){kind=link}