Full Report
State-sponsored attackers are targeting critical infrastructure networks in defense, communications, energy, finance, government and health care. The post Officials once again warn defenders that Russian hackers are targeting network devices appeared first on CyberScoop.
Analysis Summary
# Threat Actor: FSB Center 16 (Berserk Bear)
## Attribution & Identity
* **Identification:** Russian Federal Security Service (FSB) Center 16.
* **Known Aliases:** Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, Static Tundra.
* **Associated Groups:** Linked to Russian state-sponsored intelligence services.
## Activity Summary
* **Long-term Operations:** Actively targeting global critical infrastructure for more than a decade.
* **Poland Energy Grid (Dec 2025):** Attributed by the European Union for an attack on Poland’s power infrastructure during winter.
* **Ongoing Campaigns (2026):** Subject of a joint cybersecurity advisory by the U.S. and 12 partner nations regarding the sustained exploitation of network devices for long-term espionage.
## Tactics, Techniques & Procedures
* **Internet Scanning:** Massive scanning for vulnerable routers and networking devices exposed to the public internet.
* **Credential Exploitation:** Utilizing default or weak passwords on administrative interfaces.
* **Vulnerability Exploitation:** Leveraging N-day vulnerabilities in networking equipment and web portals.
* **Feature Misuse:** Exploiting the Cisco Smart Install (SMI) feature to gain unauthorized access.
* **Persistence:** Targeting end-of-life (EoL) devices to maintain long-term access within secure environments.
* **MITRE ATT&CK Indicators:**
* **CVE-2018-0171:** Cisco Smart Install Remote Code Execution vulnerability.
* **CVE-2008-4128:** Older vulnerability in Cisco devices used for initial access/reconnaissance.
## Targeting
* **Sectors:** Defense Industrial Base (DIB), Communications, Energy, Financial Services, Government Facilities, and Healthcare.
* **Geography:** Global (specifically mentioned: United States, Poland, United Kingdom, Canada, Australia, New Zealand, Czech Republic, Denmark, Estonia, Finland, France, Italy, and Sweden).
* **Victims:** Critical infrastructure networks and Polish energy grid.
## Tools & Infrastructure
* **Primary Targets:** Cisco networking devices and routers.
* **Infrastructure Features:** Cisco Smart Install feature used as a vector for configuration manipulation.
* **C2/Nodes:** Not specific IPs mentioned in the text, but the group utilizes compromised network devices as part of their operational infrastructure.
## Implications
* **Strategic Threat:** The actor’s focus on energy and critical infrastructure suggests a goal of pre-positioning for disruptive attacks (e.g., the Poland energy grid incident) or high-level strategic espionage.
* **Persistent Threat:** The group’s ability to exploit decade-old vulnerabilities indicates a significant gap in global patch management and hardware lifecycle hygiene.
## Mitigations
* **Disable Unused Features:** Immediately disable **Cisco Smart Install** on all routers and switches where it is not required.
* **Authentication Hygiene:** Implement strong, unique passwords and transition to multi-factor authentication (MFA) for device management.
* **Configuration Management:** Monitor for unusual credentials or the creation of unauthorized local accounts.
* **Patching:** Prioritize remediation of CVE-2018-0171 and retire end-of-life (EoL) networking hardware that no longer receives security updates.
* **Network Audits:** Use the technical details provided in the joint advisory to scan for indicators of compromise (IoCs) on boundary devices.