CISA, the NSA, the FBI, and international partner agencies released a joint advisory on July 13, warning that Russian FSB Center 16 cyber actors are exploiting poorly configured routers across major infrastructure sectors worldwide, including healthcare.
What happened
CISA and a coalition of US and international agencies published a joint Cybersecurity Advisory on July 13 detailing ongoing exploitation of vulnerable networking devices by Russian government-sponsored cyber actors. The advisory names FSB Center 16 as the group behind the activity and states that the actors scan the internet for routers with poorly configured SNMP agents that accept default authentication strings. Once the actors identify a vulnerable device, they issue spoofed SNMP Set-Requests that instruct the device to copy its configuration file and transfer it to an actor-controlled server. The agencies also note that the actors occasionally exploit known CVEs in Cisco devices and Cisco's Smart Install feature. The advisory provides mitigation recommendations for network defenders and maps the activity to the MITRE ATT&CK and D3FEND frameworks.
The backstory
The advisory builds on an FBI Public Service Announcement from 2025 that first detailed over a decade of FSB Center 16 activity targeting networking devices and critical infrastructure. In 2021, the Department of Justice indicted three FSB Center 16 officers, unsealing the charges in 2022, for a multi-stage campaign that gained remote access to US and international energy sector networks, deployed malware targeting industrial control systems, and exfiltrated enterprise and industrial data. One of the victims was a US nuclear power plant. Around the same time this advisory was published, the UK and European Union also formally attributed a coordinated December 2025 attack on Poland's energy infrastructure to FSB Center 16. The UK government said that the attack, which ultimately failed, could have left 500,000 people without electricity during winter.
Going deeper
The agencies outline the following mitigation steps for network defenders:
- Disable Cisco Smart Install on all devices.
- Replace SNMPv1 and SNMPv2 with SNMPv3 using "authPriv" and modern encryption.
- If legacy SNMP versions must remain in use, change all default community strings and limit access to read-only.
- Use strong, unique passwords for local device accounts and store credentials securely.
- Monitor for unusual credentials and for logins using local accounts rather than centralized authentication.
- Restrict access to SNMP OIDs with a Management Information Base allow list.
- Use access control lists, so management protocols like SNMP are only reachable from management devices.
- Block or closely monitor TFTP, Cisco Smart Install, and SNMP ports at edge firewalls.
- Update device firmware and software and replace end-of-life devices.
What was said
John Riggi, AHA national advisor for cybersecurity and risk, said the activity "has been attributed to the Russian Federal Security Bureau, a foreign intelligence agency of the Russian government."
He added that it "represents an advanced and persistent cyber threat targeting U.S. healthcare that should be prioritized." Riggi said the first step in mitigating this and other nation-state cyber threats is to install the latest network router encryption standard, SNMPv3.
In the know
SNMP, or Simple Network Management Protocol, is used to manage and monitor network devices like routers. Older versions, SNMPv1 and SNMPv2, authenticate using plain-text "community strings" that are often left at default values, making them easy for attackers to guess or exploit. SNMPv3 replaces these with encrypted authentication, closing off the method the FSB actors rely on to access and copy device configurations.
Why it matters
Healthcare and Public Health are named among the critical infrastructure sectors most at risk in this advisory, alongside communications, defense industrial base, energy, financial services, and government services and facilities. Since routers are used in hospital and health system networks, a compromised device can give a nation-state actor entry to access electronic health records, billing systems, and other connected infrastructure those routers protect.
Riggi's framing of this as an "advanced and persistent" state-sponsored threat, rather than an opportunistic criminal one, raises the risk for healthcare organizations that may still be running default or outdated SNMP configurations.
The bottom line
Healthcare organizations should treat this advisory as a prompt to check their network devices. Moving to SNMPv3, disabling Cisco Smart Install where unused, and locking down default credentials are steps organizations can take immediately to close off the access method these actors rely on.
FAQs
What is SNMP, and why do so many organizations still use older versions of it?
SNMP is a protocol used to monitor and manage network devices, and older versions remain in use because they were the default for decades and upgrading often requires reconfiguring or replacing legacy equipment.
How can an organization tell if one of its routers has already been compromised?
Signs of compromise include unexpected configuration changes, unfamiliar local accounts, or outbound traffic to unrecognized servers.
Is this kind of attack financially motivated, like ransomware?
No, state-sponsored espionage campaigns like this one are aimed at intelligence gathering, surveillance, and long-term network access rather than direct financial extortion.
