US warns of Russian hackers targeting routers
The US government, alongside international partners, warns that Russian state hackers are mass-compromising home and small office routers to obscure attacks on sensitive organizations.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Monday stating that Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks.
The hacking groups are tracked under various names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. The advisory was co-issued by governments from Australia, Denmark, New Zealand, and the UK.
The primary means of compromise involves hackers scanning IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default authentication credentials. These scans are run by the very router botnets the actors are trying to enroll the targeted device in. By sending malicious traffic from spoofed addresses, the hackers can use the SNMP agent on poorly configured routers to run malware.
Both the Russian and Chinese governments have been compromising routers for years, sometimes in prolonged tugs-of-war to wrest control of devices the other has already commandeered. The US government has occasionally issued covert commands and taken other steps to disinfect routers. Google and other companies have also worked to disrupt the massive botnets that control compromised routers. However, these actions are little more than whack-a-mole exercises, as operators simply replace their botnets with new ones.


