Loading...
Russian hackers are targeting home routers, US warns
Australia, Denmark, New Zealand, and the UK have also issued similar warning

Russian hackers are targeting home routers, US warns

Jul 14, 2026
12:20 pm

What's the story

The US government has issued a warning about Russian state-sponsored hackers targeting home and small office routers. The cybercriminals have been compromising these devices to hide their malicious activities against sensitive organizations in both public and private sectors. The warning was jointly issued by several countries, including Australia, Denmark, New Zealand, and the UK.

Ongoing conflict

Ongoing battles between Chinese and Russian hackers

The US government has previously warned about Russian and Chinese governments compromising routers.

These attacks sometimes involve long battles to take control of devices already compromised by the other side.

Despite covert operations and other measures taken by the US government, along with companies like Google, these efforts have largely been unsuccessful as hackers continue to replace their botnets with new ones.

Exploitation tactics

Russian FSB cyber actors exploiting vulnerable networking devices

The Cybersecurity and Infrastructure Security Agency (CISA) has warned that Russian Federal Security Service (FSB) Center 16 cyber actors are exploiting poorly configured and vulnerable networking devices worldwide.

They are compromising multiple critical infrastructure sector networks opportunistically.

The hacking groups, known by various names such as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra, use these compromised routers as exit nodes for probing or attacking targets in sectors like communications, defense, energy, financial services, and government.

ADVERTISEMENT

Attack method

Primary method of compromise involves scanning IP ranges

The primary method of compromise involves hackers scanning IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default authentication credentials.

These scans are conducted by router botnets the hackers are trying to enroll the targeted device into.

By sending malicious traffic from spoofed addresses, they can use the SNMP agent on poorly configured routers to run malware and gain control over a device.

ADVERTISEMENT

Security measures

Recommendations for router users to secure their devices

In light of these attacks, the US government has advised router users to secure their devices.

The recommendations include disabling SNMP versions 1 and 2 as they don't encrypt passwords or follow other common-sense security practices.

Instead, only SNMP version 3 should be used or better yet, disable SNMP altogether unless needed for a specific use case.

Other recommendations include disabling Cisco Smart Install on all devices, using strong passwords, regularly updating firmware, and avoiding other networking protocols.

ADVERTISEMENT