US, Allies Warn Russian APTs Target Routers

US and allied agencies say Russian state-linked APT groups are scanning and exploiting routers to copy configurations via SNMP set-requests and exfiltrate them over TFTP to remote servers.
Agencies from the United States, Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, Italy, New Zealand, Poland, Sweden and the United Kingdom issued a joint advisory saying Russian state-sponsored advanced persistent threat (APT) actors are targeting routers and other network devices to attack critical infrastructure.
The advisory describes how the actors scan large IP ranges for poorly secured devices, then use Simple Network Management Protocol (SNMP) set-requests to instruct SNMP agents on targeted equipment to copy configuration files. Those files are typically transferred over Trivial File Transfer Protocol (TFTP) to a virtual private server or a compromised FTP host, with activity routed through proxies.
The advisory attributes the activity to groups aligned with FSB Center 16, naming Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra as observed actors. The agencies report the campaign has focused on organizations in the communications, defense industrial base, energy, financial, government and healthcare and public health sectors.
Investigators have also observed the threat actors exploiting known vulnerabilities in networking equipment. The advisory cites CVE-2008-4128 and CVE-2018-0171 in Cisco devices, both of which can allow arbitrary code or command execution on affected systems.
Access to device configuration files can expose network topology, embedded credentials and management settings. The advisory explains those details can be used to escalate access or to disrupt services on operational networks.
The notice states: “Many of these TTPs overlap with activity by other malicious cyber actors, such as Salt Typhoon.” The agencies note similar tactics, techniques and procedures appear across multiple threat actors.
The advisory offers specific mitigation steps for network defenders. It recommends disabling Cisco Smart Install where present, turning off SNMPv1 and SNMPv2 and adopting SNMPv3 with modern encryption. Administrators are advised to require unique passwords for device accounts and to store credentials securely, to monitor and alert on local account logins, to restrict access to SNMP Object Identifiers and management protocols, to deny external communications on relevant ports at edge firewalls and devices, and to keep network device software and firmware up to date.
The U.S. National Security Agency has issued related guidance on reducing the risk of SNMP abuse. The joint advisory warns that the combination of broad scanning, exploitation of legacy protocols and reuse of management features raises the risk to operational networks if basic protections are not applied.



