Your Wi-Fi Router Could Be a Target in Russia's Latest Cyber Campaign, Officials Warn

A joint advisory from the UK, U.S., Canada, and other allies warns that Russian state-backed hackers are exploiting weak router security — and one outdated setting could put your network at risk.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Cybersecurity agencies across 12 countries are urging organizations to secure their routers after identifying an ongoing campaign by Russian state-backed hackers targeting vulnerable network devices worldwide.

According to a new warning from the United Kingdom’s National Cyber Security Centre (NCSC), the hackers are scanning the internet for poorly configured routers and exploiting weak passwords, outdated management protocols, and known security flaws to gain access to networks.[1]

The activity has been attributed to Center 16, a cyber unit within Russia’s Federal Security Service (FSB). The advisory was jointly issued by 19 agencies from Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden, the United Kingdom, and the United States.

Although the campaign has primarily targeted critical infrastructure and other large organizations, the hackers’ broad and opportunistic scanning methods demonstrate why any internet-facing router should be properly secured and regularly updated.

In this article
Who is behind the attacks?
Why hackers target routers
How the Russian hackers are getting in
What can happen if a router is compromised?
Does this warning affect home users?
How to protect your router
How to tell if your router may be compromised
New sanctions against Russian cyber networks

Who is behind the attacks?

The campaign has been attributed to Center 16, an FSB cyber unit tracked by cybersecurity researchers under several names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra.

The group has historically targeted organizations operating in the communications, defense, energy, financial services, government, and healthcare sectors, according to the NCSC’s announcement.

“Russian cyber actors persistently seek to exploit any vulnerability they encounter,” Jonathon Ellison, the NCSC’s director of national resilience, said in the announcement.

Ellison encouraged organizations, especially those responsible for critical networks, to implement the advisory’s recommendations immediately to reduce the likelihood of compromise.

Why hackers target routers

A router directs information between devices on a local network and the wider internet. Computers, smartphones, smart TVs, security cameras, and other connected devices typically send their internet traffic through it.

That makes a compromised router valuable to an attacker. Depending on the device, its configuration and the level of access obtained, a hacker may be able to monitor traffic, redirect communications, collect information about the network or use the router as an entry point for further attacks.

Because routers are often left unpatched for years, they can become attractive entry points for attackers.

How the Russian hackers are getting in

The new advisory highlights several methods Center 16 has used to identify and compromise vulnerable routers.

Weak or default SNMP credentials

The group has primarily scanned for devices running Simple Network Management Protocol (SNMP).

SNMP allows administrators to remotely manage network devices. Older versions can expose sensitive information if they're protected by weak or default credentials.

Center 16 has searched for routers using default, weak or reused SNMP passwords, and community strings. If those credentials are exposed or easy to guess, an attacker may obtain information about the router or alter its configuration.

Known Cisco vulnerabilities

The hackers have also exploited known vulnerabilities affecting Cisco devices, according to the NCSC.

The advisory specifically mentions vulnerabilities associated with Cisco devices, including weaknesses involving Cisco Smart Install. Cisco has advised customers to disable Smart Install on devices where it is not required and ensure it cannot be reached from untrusted networks.

Exposed web management portals

Many routers allow administrators to change settings through a web-based control panel.

These management portals should generally be accessible only from inside a trusted network. If a portal is exposed directly to the internet, attackers may attempt to exploit software vulnerabilities, steal login credentials, or repeatedly guess the administrator password.

Disabling remote administration can help prevent outsiders from reaching the router’s settings page unless remote access is genuinely required.

What can happen if a router is compromised?

The consequences depend on the router, the vulnerability being exploited and the attacker’s objectives. A compromised router may allow an attacker to:

  • Monitor network traffic to see what sites you visit
  • Steal your credentials, like usernames and passwords
  • Redirect users
  • Gain long-term access
  • Move deeper into a network

Encryption still provides an important layer of protection. For example, HTTPS encrypts the contents of communications between a browser and a legitimate website.

Does this warning affect home users?

The advisory is primarily directed at organizations, particularly those operating critical infrastructure. It does not say that Center 16 is specifically targeting individual households.

However, the hackers are conducting opportunistic internet scans rather than relying exclusively on carefully selected targets. A vulnerable home or small-business router could therefore be discovered if it exposes insecure management services to the internet.

Compromised consumer routers can also be useful to sophisticated attackers even when the router’s owner is not the ultimate target. Hackers may use hijacked devices to conceal their location, relay malicious traffic, or make an attack appear to originate from an ordinary residential internet connection.

That does not mean every exposed router will be attacked. It does mean that basic router security can reduce the likelihood of a device becoming an easy target during automated scans.

How to protect your router

The joint advisory provides highly technical recommendations for network administrators, but several of its core lessons also apply to home users and small businesses.

Update your router’s firmware

Firmware is the software built into your router. Manufacturers release firmware updates to fix security flaws, improve performance, and address technical problems.

Sign in to your router’s administration page or companion app and check whether an update is available. Enable automatic updates when your router supports them.

Older routers that no longer receive security updates should be replaced. Even a strong password cannot protect a router from every unpatched software vulnerability.

Change the administrator password

The administrator password protects access to your router’s settings. It is separate from the Wi-Fi password people use to connect their devices.

Change any default administrator credentials to a strong, unique password that you do not use for another account. A password manager can generate and store a long password for you.

Some routers also use a default administrator username such as “admin.” Change the username as well if the device allows it.

Disable remote administration

Remote administration allows someone to access the router’s control panel from outside the local network.

Most home users do not need this feature. Leaving it enabled may expose the login page or management service to anyone on the internet.

Look for settings labeled remote management, remote administration, web access from WAN, or administration from the internet and turn them off unless you have a specific reason to use them.

Use WPA3 or WPA2 encryption

Your wireless network should use WPA3 security when supported. WPA2 remains an acceptable alternative for devices that cannot use WPA3.

Avoid outdated security standards such as WEP and WPA, which contain well-known weaknesses.

Choose a strong and unique Wi-Fi password, especially if the router still uses the password printed on its label.

You can also disable features such as SNMP, Telnet, remote management, and UPnP if you don't need them, as they can increase your router's attack surface. Regularly review your router's connected devices and consider using a guest network for smart home devices to add another layer of security.

How to tell if your router may be compromised

Router compromises are not always obvious. Attackers interested in espionage may try to remain undetected rather than disrupting the network.

Possible warning signs that your router has been hacked can include:

  • Router settings changing unexpectedly
  • Unknown administrator accounts
  • DNS settings you do not recognize
  • Internet searches redirecting to unfamiliar websites
  • Unexplained loss of access to the administration page
  • New port-forwarding rules
  • Unknown devices repeatedly appearing on the network
  • The router restarting or behaving unpredictably
  • Security warnings appearing on multiple connected devices

These symptoms can also have innocent explanations, including faulty hardware or problems with an internet provider.

If you suspect your router has been compromised, disconnect it from the internet, contact the manufacturer or your internet provider, and follow their instructions. You may need to factory reset the device, update its firmware, and configure it again with new passwords.

Replacing the router may be safer if it is outdated, no longer supported, or known to contain an unpatched vulnerability.

New sanctions against Russian cyber networks

The router advisory was released on the same day that the United Kingdom and European Union announced new sanctions against Russian state-linked cyber and criminal networks.

The UK sanctioned 24 individuals and entities accused of participating in destructive cyberattacks, election interference, cybercriminal proxy operations, and the spread of anti-Ukraine disinformation.

British officials and EU member states also formally attributed a December 2025 cyberattack against Poland’s energy grid to FSB Center 16.

Organizations are being encouraged to implement the router recommendations alongside broader cybersecurity safeguards. In the UK, the NCSC recommends obtaining Cyber Essentials certification and using its Cyber Assessment Framework to evaluate security maturity and identify weaknesses.

The immediate warning is aimed largely at critical infrastructure operators and network defenders, but the underlying lesson applies more broadly: routers should not be treated as appliances that can be installed and forgotten.

Keeping firmware up to date, removing unnecessary internet exposure and replacing default credentials can help prevent both state-backed hackers and ordinary cybercriminals from turning a router into an entry point.

Protect Every Aspect of Your Digital Life — Even Your Time
4.7
Editorial Rating
See Price
On TotalAV's website
2026 Editors’ Choice
Best Antivirus for Safe Browsing
Antivirus Software
TotalAV
  • An antivirus that scores 18/18 on AV-TEST for Windows and macOS, with top marks across all test categories
  • Passed every malware and drive-by download test we ran, quarantining threats automatically
  • Includes a junk cleaner, app uninstaller, and browser cleaner to keep your device running smoothly alongside the antivirus

Author Details
Thomas Kent is a multi-disciplined reporter with over a decade of experience covering online platforms, digital trends, and consumer-facing tech. Tom focuses on digital privacy, data tracking, and user behavior, with a particular interest in how cookies, online surveillance, and platform design shape the modern internet experience. His reporting takes a research-driven, news-focused approach, translating complex technical topics into clear, accessible insights.

Citations

[1] UK and Allies Warn of Russian Hackers Actively Hacking Organizations’ Routers Worldwide