
NSA Warns: Russia-Linked Cyberattackers Targeting Cisco Routers!
In a new joint advisory published by the U.S. National Security Agency (NSA) and cybersecurity agencies from 17 partner countries, it has been reported that Russian state-linked cyberattackers continue to exploit vulnerabilities in routers and switches worldwide to target critical infrastructure facilities.
The advisory, titled “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting” and published on July 9, 2026, emphasizes that misconfigured network devices or outdated software have become one of the most convenient entry points for state-sponsored cyber espionage groups.
Who Is Behind the Attacks?
According to the advisory, these cyberattacks are linked to the activities of a unit known as Center 16, which is part of the Russian Federal Security Service (FSB).
Experts note that this group is targeting the following strategic sectors in the United States and its allied countries:
- defense industry;
- telecommunications and communications networks;
- energy sector;
- financial services;
- government agencies;
- healthcare system;
- other critical information infrastructure.
By gaining control over network devices, attackers can create hidden entry points into organizations’ internal networks and remain undetected for extended periods.
The Primary Threat – Cisco Smart Install Vulnerability
The advisory places particular emphasis on the critical vulnerability in the Cisco Smart Install service, registered under identifier CVE-2018-0171.
This vulnerability is rated 9.8 on the CVSS scale and allows for remote attacks without authentication.
By exploiting the vulnerability, an attacker can:
- forcibly reboot the device (Denial-of-Service);
- remotely execute malicious code (Remote Code Execution);
- modify the device configuration;
- control or redirect network traffic;
- create a covert entry point into the organization’s internal network.
Although the Cisco Smart Install service was originally designed to simplify automatic configuration of new network devices, it is rarely used in most modern corporate networks. Therefore, security experts consider leaving it enabled an unnecessary risk.
Why Are Routers Becoming a Primary Target?
In many organizations, servers, workstations, and other information systems are regularly updated and undergo security checks. However, perimeter network devices — routers and switches — often remain unpatched for long periods or are used with misconfigurations.
This factor creates a convenient opportunity for state-sponsored cybercriminals.
Once a router is successfully compromised, attackers can:
- monitor traffic within the internal network;
- obtain user authentication credentials;
- conceal malicious traffic;
- move laterally to other servers and workstations;
- establish long-term covert access (Persistence).
Such attacks are typically difficult to detect and can cause serious damage to an organization’s information security.
What Protective Measures Do Experts Recommend?
The NSA and partner organizations recommend network administrators take the following measures immediately:
- completely disable the Cisco Smart Install service, as most production environments have no need for it;
- migrate to SNMPv3 instead of SNMPv1 and SNMPv2, as it supports robust authentication and encryption;
- use complex and unique passwords on devices, eliminating default or reused passwords;
- restrict access to TFTP, Smart Install (SMI), and SNMP services over the Internet and filter them using a firewall;
- continuously update the operating system (Cisco IOS/IOS XE) and firmware of Cisco devices;
- regularly audit router and switch configurations and monitor for unauthorized changes;
- check devices for unknown users, hidden configurations, or suspicious processes;
- replace end-of-life network equipment with modern hardware where possible;
- regularly back up configuration files of network devices and monitor their integrity;
- implement multi-factor authentication (MFA) for administrator accounts and restrict device access to trusted IP addresses only.
Similar Warnings Have Been Issued Before
This advisory is a continuation of previous warnings.
In August 2025, the U.S. Federal Bureau of Investigation (FBI) warned that Russian government-linked cyberattackers were using network devices to target critical infrastructure facilities.
Additionally, in April 2026, the NSA and FBI reported that the APT28 (Fancy Bear, Forest Blizzard) group was exploiting vulnerabilities in routers used in small office and home networks, including TP-Link devices.
At that time, experts recommended that users reboot routers, disable remote management, change default passwords, and review VPN settings.
Conclusion
Although state-sponsored cyberattacks are becoming increasingly sophisticated, most of them begin with network devices where basic security practices are not followed. Outdated software, default passwords, and enabled unnecessary services provide attackers with a path through the network perimeter into the internal infrastructure.
Therefore, organizations must regularly audit not only servers and workstations but also routers, switches, and other network devices, keep them updated, and configure them in accordance with modern security requirements.
In cybersecurity practice, it is precisely these simple yet important preventive measures that are among the most effective means of preventing many sophisticated state-sponsored cyberattacks.



