Russian hackers are targeting routers to infiltrate critical infrastructure, CISA warns
A forgotten router could give hackers a foothold inside critical telecom networks.

Image by Cybernews.
- Russian hackers are exploiting forgotten routers to quietly map and infiltrate critical infrastucture networks.
- Stolen router configurations can expose credentials, VPN settings, internal IP ranges, and trusted connections.
- US and international allies warn that one vulnerable edge device can create long-term access for espionage or disruption.
- EU sanctions also targeted bulletproof hosting providers accused of supporting Russia-linked cyberattacks across Europe.
Russian state hackers are quietly exploiting vulnerable and poorly configured routers to infiltrate critical infrastructure networks, according to a new security warning issued Monday from the US cybersecurity watchdog and allied nations.
The joint cybersecurity advisory – issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, DC3, and eight allied nations – is warning defenders that Russian state-sponsored actors continue to target internet-facing routers – all to steal sensitive network information and establish long-term access within victim networks.
Russian hackers target overlooked routers
Ensar Seker, President of Research and CISO at SOCRadar, says the latest warning proves that “nation-state attackers don’t always need a sophisticated zero-day to penetrate critical infrastructure.”
“In many cases, weak router configurations, default SNMP community strings, outdated firmware, and unnecessary exposure of legacy management protocols provide everything they need,” Seker explains.
"Router configuration files are extremely valuable intelligence,"warns Seker.
He says the files can reveal a plethora of sensitive network information, including “network topology, administrative credentials, access-control rules, VPN settings, internal IP ranges, and trusted connections.”
The threat actors can use those data points to “identify pathways into more sensitive systems, prepare targeted follow-on attacks, or establish persistent access while remaining below the visibility of conventional endpoint security tools,” he says.
Why router compromises matter
CISA warns that edge devices are often overlooked despite serving as critical gateways into enterprise and critical infrastructure networks.
Officials said organizations should treat routers and other network appliances as high-value assets because a single compromised device can provide attackers with a platform for future espionage, lateral movement, or disruptive cyber operations.
The most targeted critical sectors are said to include communications, defense, energy, financial services, government services and facilities, healthcare, and public health.
The advisory noted that state and local governments were a favored target of Moscow.
Providing a detailed list of tactics, techniques, and procedures to help counter the active threat, CISA names half a dozen Russian-linked threat groups known among the security community and actively carrying out these types of opportunistic attacks:
- Berserk Bear
- Energetic Bear
- Crouching Yeti
- Dragonfly
- Ghost Blizzard
- Static Tundra
Seker says the broader lesson is that critical infrastructure security can be undermined by a single forgotten or poorly managed edge device and urges defenders to treat routers and other network appliances as high-value security assets – not passive infrastructure.
“Network appliances often sit outside normal endpoint detection coverage, making configuration monitoring, external attack-surface visibility, and continuous validation essential,” Seker said.
The agencies further urged organizations to inventory internet-facing devices, replace older SNMP versions with properly configured SNMPv3, remove default community strings, restrict management access, disable unnecessary services, keep firmware up to date, and monitor for unauthorized configuration changes.
EU targets Russia’s cyber support network
The warning comes as the Council of the European Union on Monday also imposed new sanctions on nine individuals and four entities accused of “carrying out, enabling and facilitating cyber-attacks” against EU member nations, the US and other international partners on behalf of Russia.
Among those sanctioned were bulletproof hosting provider Media Land LLC, its owner Alexander Volosovik, and its sister company ML.Cloud, the Council’s announcement said.
The sanctions also targeted several threat groups and individuals linked to the GRU and other cyber operations, including those involved in the development and distribution of several known malware strains:
- Z-Pentest (pro-Russia hacktivist group)
- Cyber Army of Russia Reborn (CARR)
- GRU Unit 29155
- LLC “Impuls” (Russian tech company)
- LummaC2 infostealer malware
- TrickBot banking trojan and malware ecosystem
- Conti ransomware
Has your password leaked?