Summary
- NCSC and allied agencies warn FSB Centre 16 is exploiting vulnerable routers and network devices.
- Communications, energy, defence, finance, government, and healthcare are named as sectors at risk.
- The advisory turns network-device configuration into a critical infrastructure resilience issue.
The National Cyber Security Centre and international partners have warned critical sectors to harden routers and network devices against Russian intelligence targeting, after agencies observed exploitation of poorly configured infrastructure by actors linked to Russia’s FSB Centre 16.
The advisory names communications, defence, energy, financial services, government, and healthcare among the sectors most exposed. It says the actor has scanned for routers using default or weak Simple Network Management Protocol credentials and community strings, while also exploiting known issues affecting Cisco devices, Cisco Smart Install, and web portal flaws.
The NCSC’s public warning urges organisations to move to SNMPv3, disable older SNMP versions, use strong and unique passwords for network devices, and restrict access to management protocols with appropriate controls. The advisory was issued with agencies from Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden, and the United States.
The warning lands alongside UK and EU sanctions against Russian cyber and hybrid operations, and the joint attribution of a failed attack on Poland’s energy grid to FSB Centre 16. Exposed network devices are being treated as more than asset-management debt. Poorly governed edge infrastructure can become a route into critical services, a surveillance foothold, or a staging point for later disruption.
Routers, firewalls, VPN appliances, and management interfaces have become one of the most contested parts of enterprise and public-sector infrastructure. They often sit at the edge of networks, remain exposed to the internet, and may be managed by small teams working around limited downtime windows. In some environments they are treated as stable plumbing rather than active security assets, leaving firmware, configuration, logging, and access controls behind the rest of the estate.
The NCSC warning also shows that state-linked operators do not always need novel malware or zero-day exploitation to create strategic access. Default credentials, weak community strings, legacy management protocols, and unpatched web interfaces can provide enough access to monitor traffic, map internal networks, pivot into adjacent systems, or prepare for future activity. In regulated sectors, device governance becomes part of resilience and incident reporting discipline, not just a technical remediation task.
The advisory’s sector list follows the direction of UK and European cyber policy. Financial services, energy, healthcare, government, telecoms, and defence are increasingly treated as interdependent systems, where a weakness in one layer can create wider operational risk. A compromised router in a supplier, branch site, or regional facility may not look like a major incident at the point of entry, but it can become significant when it supports persistence, traffic collection, or access to systems that underpin essential services.
Organisations now need evidence that edge devices are visible, owned, patched, logged, and governed with the same seriousness as servers and identity platforms. Russian targeting gives that work a national security context, but the control gap is broader. Criminal groups, espionage operators, and initial access brokers all benefit from neglected infrastructure.




