BigTech CompaniesCybersecurityNewswireTechnologyWhat's Buzzing

US warns Russian state hackers are targeting your router

Originally published on: July 14, 2026
▼ Summary

– The US government warns that Russian state hackers are mass-compromising home and small office routers to hide malicious actions against sensitive organizations.
– Both Russian and Chinese governments have engaged in prolonged struggles to control compromised routers, while the US and companies like Google have taken steps to disinfect them.
– The Cybersecurity and Infrastructure Security Agency reported that Russian FSB Center 16 actors exploit poorly configured and vulnerable networking devices globally.
– Hackers primarily compromise routers by scanning IP ranges for SNMP agents that accept default or common credentials.
– Attackers use router botnets to send malicious traffic from spoofed addresses, exploiting SNMP agents to run malware on targeted devices.

The federal government is urging users of home and small office routers to lock down their devices, as Russian state-sponsored hackers continue to mass-compromise routers and repurpose them to conceal attacks against sensitive public and private sector organizations.

For years, both Russian and Chinese government-linked groups have been infiltrating routers, sometimes engaging in prolonged struggles to seize control of devices already compromised by the other side. The US government has periodically issued covert commands and taken other measures to disinfect infected routers. Google and other tech firms have also worked to dismantle the massive botnets that orchestrate compromised routers in unison. Despite these efforts, the results have often felt like a game of whack-a-mole, as attackers simply rebuild their botnets with fresh devices.

Proxy networks remain the go-to tool for these operations. On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) warned that “Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks.” These hacking groups are tracked under multiple names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. The advisory was co-issued by governments from Australia, Denmark, New Zealand, and the UK.

The primary method of compromise highlighted in the advisory involves hackers scanning IP ranges for active Simple Network Management Protocol (SNMP) agents that accept common or default authentication credentials. These scans are conducted by the very same router botnets that the attackers aim to recruit the targeted device into. By sending malicious traffic from spoofed addresses, hackers can exploit the SNMP agent on poorly configured routers to run malware. SNMP itself is a protocol that enables users to collect and organize information about managed networking devices, or to modify that information to alter device behavior.

(Source: Ars Technica)

Topics

russian state hacking 95% router compromise 93% botnet operations 90% snmp exploitation 88% critical infrastructure security 85% government advisories 82% chinese hacking 78% proxy network usage 75% device disinfection 72% whack-a-mole problem 70%