All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
Cybersecurity agencies across 12 countries are urging organizations to secure their routers after identifying an ongoing campaign by Russian state-backed hackers targeting vulnerable network devices worldwide.
According to a new warning from the United Kingdom’s National Cyber Security Centre (NCSC), the hackers are scanning the internet for poorly configured routers and exploiting weak passwords, outdated management protocols, and known security flaws to gain access to networks.[1]
The activity has been attributed to Center 16, a cyber unit within Russia’s Federal Security Service (FSB). The advisory was jointly issued by 19 agencies from Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden, the United Kingdom, and the United States.
Although the campaign has primarily targeted critical infrastructure and other large organizations, the hackers’ broad and opportunistic scanning methods demonstrate why any internet-facing router should be properly secured and regularly updated.
Why hackers target routers
How the Russian hackers are getting in
What can happen if a router is compromised?
Does this warning affect home users?
How to protect your router
How to tell if your router may be compromised
New sanctions against Russian cyber networks
Who is behind the attacks?
The campaign has been attributed to Center 16, an FSB cyber unit tracked by cybersecurity researchers under several names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra.
The group has historically targeted organizations operating in the communications, defense, energy, financial services, government, and healthcare sectors, according to the NCSC’s announcement.
“Russian cyber actors persistently seek to exploit any vulnerability they encounter,” Jonathon Ellison, the NCSC’s director of national resilience, said in the announcement.
Ellison encouraged organizations, especially those responsible for critical networks, to implement the advisory’s recommendations immediately to reduce the likelihood of compromise.
Why hackers target routers
A router directs information between devices on a local network and the wider internet. Computers, smartphones, smart TVs, security cameras, and other connected devices typically send their internet traffic through it.
That makes a compromised router valuable to an attacker. Depending on the device, its configuration and the level of access obtained, a hacker may be able to monitor traffic, redirect communications, collect information about the network or use the router as an entry point for further attacks.
Because routers are often left unpatched for years, they can become attractive entry points for attackers.
How the Russian hackers are getting in
The new advisory highlights several methods Center 16 has used to identify and compromise vulnerable routers.
Weak or default SNMP credentials
The group has primarily scanned for devices running Simple Network Management Protocol (SNMP).
SNMP allows administrators to remotely manage network devices. Older versions can expose sensitive information if they're protected by weak or default credentials.
Center 16 has searched for routers using default, weak or reused SNMP passwords, and community strings. If those credentials are exposed or easy to guess, an attacker may obtain information about the router or alter its configuration.
Known Cisco vulnerabilities
The hackers have also exploited known vulnerabilities affecting Cisco devices, according to the NCSC.
The advisory specifically mentions vulnerabilities associated with Cisco devices, including weaknesses involving Cisco Smart Install. Cisco has advised customers to disable Smart Install on devices where it is not required and ensure it cannot be reached from untrusted networks.
Exposed web management portals
Many routers allow administrators to change settings through a web-based control panel.
These management portals should generally be accessible only from inside a trusted network. If a portal is exposed directly to the internet, attackers may attempt to exploit software vulnerabilities, steal login credentials, or repeatedly guess the administrator password.
Disabling remote administration can help prevent outsiders from reaching the router’s settings page unless remote access is genuinely required.
What can happen if a router is compromised?
The consequences depend on the router, the vulnerability being exploited and the attacker’s objectives. A compromised router may allow an attacker to:
- Monitor network traffic to see what sites you visit
- Steal your credentials, like usernames and passwords
- Redirect users
- Gain long-term access
- Move deeper into a network
Encryption still provides an important layer of protection. For example, HTTPS encrypts the contents of communications between a browser and a legitimate website.
Does this warning affect home users?
The advisory is primarily directed at organizations, particularly those operating critical infrastructure. It does not say that Center 16 is specifically targeting individual households.
However, the hackers are conducting opportunistic internet scans rather than relying exclusively on carefully selected targets. A vulnerable home or small-business router could therefore be discovered if it exposes insecure management services to the internet.
Compromised consumer routers can also be useful to sophisticated attackers even when the router’s owner is not the ultimate target. Hackers may use hijacked devices to conceal their location, relay malicious traffic, or make an attack appear to originate from an ordinary residential internet connection.
That does not mean every exposed router will be attacked. It does mean that basic router security can reduce the likelihood of a device becoming an easy target during automated scans.
How to protect your router
The joint advisory provides highly technical recommendations for network administrators, but several of its core lessons also apply to home users and small businesses.
Update your router’s firmware
Firmware is the software built into your router. Manufacturers release firmware updates to fix security flaws, improve performance, and address technical problems.
Sign in to your router’s administration page or companion app and check whether an update is available. Enable automatic updates when your router supports them.
Older routers that no longer receive security updates should be replaced. Even a strong password cannot protect a router from every unpatched software vulnerability.
Change the administrator password
The administrator password protects access to your router’s settings. It is separate from the Wi-Fi password people use to connect their devices.
Change any default administrator credentials to a strong, unique password that you do not use for another account. A password manager can generate and store a long password for you.
Some routers also use a default administrator username such as “admin.” Change the username as well if the device allows it.
Disable remote administration
Remote administration allows someone to access the router’s control panel from outside the local network.
Most home users do not need this feature. Leaving it enabled may expose the login page or management service to anyone on the internet.
Look for settings labeled remote management, remote administration, web access from WAN, or administration from the internet and turn them off unless you have a specific reason to use them.
Use WPA3 or WPA2 encryption
Your wireless network should use WPA3 security when supported. WPA2 remains an acceptable alternative for devices that cannot use WPA3.
Avoid outdated security standards such as WEP and WPA, which contain well-known weaknesses.
Choose a strong and unique Wi-Fi password, especially if the router still uses the password printed on its label.
You can also disable features such as SNMP, Telnet, remote management, and UPnP if you don't need them, as they can increase your router's attack surface. Regularly review your router's connected devices and consider using a guest network for smart home devices to add another layer of security.
How to tell if your router may be compromised
Router compromises are not always obvious. Attackers interested in espionage may try to remain undetected rather than disrupting the network.
Possible warning signs that your router has been hacked can include:
- Router settings changing unexpectedly
- Unknown administrator accounts
- DNS settings you do not recognize
- Internet searches redirecting to unfamiliar websites
- Unexplained loss of access to the administration page
- New port-forwarding rules
- Unknown devices repeatedly appearing on the network
- The router restarting or behaving unpredictably
- Security warnings appearing on multiple connected devices
These symptoms can also have innocent explanations, including faulty hardware or problems with an internet provider.
If you suspect your router has been compromised, disconnect it from the internet, contact the manufacturer or your internet provider, and follow their instructions. You may need to factory reset the device, update its firmware, and configure it again with new passwords.
Replacing the router may be safer if it is outdated, no longer supported, or known to contain an unpatched vulnerability.
New sanctions against Russian cyber networks
The router advisory was released on the same day that the United Kingdom and European Union announced new sanctions against Russian state-linked cyber and criminal networks.
The UK sanctioned 24 individuals and entities accused of participating in destructive cyberattacks, election interference, cybercriminal proxy operations, and the spread of anti-Ukraine disinformation.
British officials and EU member states also formally attributed a December 2025 cyberattack against Poland’s energy grid to FSB Center 16.
Organizations are being encouraged to implement the router recommendations alongside broader cybersecurity safeguards. In the UK, the NCSC recommends obtaining Cyber Essentials certification and using its Cyber Assessment Framework to evaluate security maturity and identify weaknesses.
The immediate warning is aimed largely at critical infrastructure operators and network defenders, but the underlying lesson applies more broadly: routers should not be treated as appliances that can be installed and forgotten.
Keeping firmware up to date, removing unnecessary internet exposure and replacing default credentials can help prevent both state-backed hackers and ordinary cybercriminals from turning a router into an entry point.
[1] UK and Allies Warn of Russian Hackers Actively Hacking Organizations’ Routers Worldwide