The UK and 18 international partners have warned organisations across the defence sector to strengthen the security of internet-facing network devices after identifying sustained efforts by Russian intelligence operatives to compromise critical infrastructure through poorly protected routers.
The advisory, published by the National Cyber Security Centre (NCSC) alongside agencies including the US National Security Agency (NSA), CISA, and counterparts across Europe, Australia, and New Zealand, details the tactics used by Centre 16 of Russia’s Federal Security Service (FSB). Better known to many by names including “Berserk Bear”, “Energetic Bear”, and “Dragonfly”, the group has spent years targeting organisations that underpin national security and critical services.
While communications, energy, government, healthcare, and financial services all feature prominently in the warning, defence organisations are among those singled out as being at particular risk from the campaign.
Rather than relying on previously unknown vulnerabilities, Centre 16 has been exploiting internet-facing devices that remain configured with weak or default Simple Network Management Protocol (SNMP) community strings, alongside known flaws affecting Cisco equipment, Cisco’s Smart Install feature, and exposed web management portals.
The advisory says the group trawls the public internet looking for routers it can compromise before using them as a way into wider networks. Once inside, operators can learn how a network is put together, collect credentials, watch traffic moving across it and quietly expand their access over time.
Its publication coincided with a broader UK effort to call out Russian cyber activity. Ministers announced sanctions against 24 individuals and organisations linked to Moscow’s cyber and hybrid campaigns, while the UK and EU member states also formally attributed the attempted December 2025 cyberattack against Poland’s energy grid to FSB Centre 16.
“The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter,” said Jonathon Ellison, the NCSC’s Director of National Resilience, adding that organisations responsible for critical networks should implement the advisory’s recommendations “immediately”.
Those recommendations focus on strengthening the security of network infrastructure rather than deploying new defensive technologies. Organisations are advised to disable legacy SNMP versions in favour of SNMPv3, replace default credentials with unique passwords, restrict access to management interfaces, remove unnecessary services, and replace unsupported network hardware. The NCSC is also encouraging organisations to adopt Cyber Essentials and use the updated Cyber Assessment Framework to assess and improve their cyber resilience.
For defence organisations, the advisory serves as another reminder that sophisticated state-backed espionage does not always begin with sophisticated exploits.









