Russian Federal Security Service (FSB) operatives are actively scanning the Internet for poorly configured routers, exploiting a decades-old protocol to steal full device configurations, according to a joint advisory from CISA, the NSA, and international partners released July 13, 2026. The campaign, which targets critical infrastructure sectors, uses legitimate management tools against network owners, making detection difficult without proper logging.

What the Advisory Reveals

The advisory, tracked as AA26-194A, details how FSB Center 16 actors—also known as Berserk Bear, Energetic Bear, and Dragonfly—scan IP ranges for devices with exposed SNMP services. They issue SNMP Set-Requests containing specific Object Identifiers (OIDs) that instruct the router to copy its configuration to a file named “config.bkp” or “output.txt”. The device then transfers that file via TFTP to actor-controlled servers. The two key OIDs to watch:

  • 1.3.6.1.4.1.9.9.96.1.1 — Cisco Config Copy
  • 1.3.6.1.4.1.9.9.96.1.1.1.1.5 — Config Copy Server Address (the destination IP)

The actors also exploit Cisco Smart Install (SMI), a legacy feature designed for zero-touch deployment, and occasionally pivot through known CVEs like CVE-2008-4128 (end-of-life Cisco devices only). Once inside, they steal credentials stored using weak Cisco password types 0, 4, or 7, paving the way for deeper network compromise.

How This Hits Your Organization

For enterprise network and security teams, this is an immediate threat. Router configurations are a blueprint of your infrastructure: firewall rules, routing tables, VPN secrets, and administrative credentials. An attacker with a full config can map your defenses, impersonate trusted devices, and pivot laterally.

Windows-centric IT departments face a blind spot. The attack unfolds entirely on the network device—endpoint detection on Windows servers won’t see the initial SNMP Set-Request or the TFTP transfer. Unless device telemetry, firewall logs, and SNMP traps feed into your SIEM, you’ll miss the intrusion until it’s too late.

Small businesses and home-lab enthusiasts running Cisco or other managed routers are not immune. Exposed management interfaces on consumer-grade equipment are routinely scanned, and a compromised home router can become a pivot point for larger campaigns.

The Backstory of Neglected Protocols

This isn’t a new zero-day. The advisory breathes urgency into hardening practices that have been recommended for years:

  • 2017: NSA warned about Cisco Smart Install misuse.
  • 2022: NSA released best practices for Cisco password types.
  • 2023: NSA published its Network Infrastructure Security Guide.
  • 2025: FBI alert I-082025-PSA flagged Russian targeting of networking devices.
  • July 13, 2026: AA26-194A consolidates these threads with fresh indicators and an international coalition.

SNMPv1 and v2 remain prevalent because they are simple to configure, but their lack of encryption and authentication makes them trivial to abuse. Similarly, Cisco Smart Install, while convenient, listens on TCP/4786 by default and offers no authentication. Every unpatched, end-of-life router is a liability.

Your Action Plan Starts Now

CISA and partners recommend immediate steps to reduce exposure. Prioritize them in this order:

  1. Disable Cisco Smart Install on every device. Check running configs for service config and smart-install remnants, then verify that TCP/4786 is no longer reachable from outside.
  2. Kill SNMPv1 and v2. Replace them with SNMPv3 configured for authPriv using the strongest encryption your device supports. Test that legacy polling fails and that authorized monitoring still works.
  3. Restrict management access. Apply ACLs so that SNMP, TFTP, and SMI are only reachable from designated management hosts—ideally on an out-of-band network. Deny external traffic to UDP/161, UDP/162, TCP/4786, UDP/69, and UDP/10161-10162 at the edge firewall.
  4. Implement MIB allow-listing. Limit the OIDs that each SNMPv3 user can access. The Cisco Config Copy OIDs above should be explicitly blocked for most accounts.
  5. Deploy detection rules. Configure your IDS/IPS or SIEM to alert on:
    - Inbound SNMP Set-Requests containing the two listed OIDs from any host outside your management inventory.
    - The server address OID pointing to an unapproved destination.
    - Outbound TFTP sessions from the same device within a short window.
    - Filenames “config.bkp” or “output.txt” appearing in transfer logs.
  6. Audit Cisco password types. Replace any Type 0, 4, or 7 passwords with Type 8. Pull a fresh config, scan for enable secret and username lines, and validate the hashing algorithm.
  7. Integrate device logs into your security operations. Forward authentication events, SNMP access logs, and transfer records to your SIEM. Correlate them with firewall and endpoint data to spot the full kill chain.
  8. Patch and replace. Apply the latest firmware to all supported devices. For end-of-life gear, create a hard deadline for replacement; don’t rely on firewall rules as a permanent fix.

A quick-impact checklist:

Action Immediate Priority Verification
Disable Smart Install High Scan TCP/4786 externally
Disable SNMPv1/v2 High Attempt legacy SNMP poll
Block management ports at firewall High Repeat external scan
Deploy OID-specific alerts Medium Trigger a test alert
Audit Cisco passwords Medium Check config for Type 8
Replace EOL devices Long-term Inventory and schedule

The Road Ahead

AA26-194A emphasizes that these measures counter not only FSB Center 16 but also other threat actors like Salt Typhoon. The operational discipline of shutting down unnecessary services, segmenting management traffic, and auditing configurations will pay dividends far beyond this advisory.

After you’ve buttoned up the initial holes, shift to continuous verification. Schedule monthly external scans of your public IP space. Automate configuration drift detection against an approved baseline stored outside the device. And treat any unscheduled config copy or transfer as a full security incident—because in this game, a single misstep hands the attacker a map to your kingdom.