- What: NSA, FBI, CISA and 15 allied agencies issued a joint advisory on Russian FSB Center 16 operators (Berserk Bear / Energetic Bear / Dragonfly / Static Tundra) who scan for internet-exposed network devices, exploit Cisco Smart Install, and steal device configurations over TFTP.
- Impact: Stolen running-configs hand the FSB credentials, VPN secrets, SNMP strings and full network topology for energy, communications, defense, healthcare, financial and government networks, enabling quiet long-term persistence rather than a noisy breach.
- Fix / mitigation: Patch or disable Cisco Smart Install (CVE-2018-0171), move from SNMPv1/v2c to SNMPv3 with unique credentials, block SNMP and TFTP at the edge, and replace end-of-life gear that can no longer be patched.
- Who's at risk: Any operator running internet-reachable Cisco IOS/IOS XE switches and routers, especially in critical infrastructure, and anyone who never turned off Smart Install after the 2018 disclosure.
Eighteen government agencies from nine countries just published a joint advisory telling you to patch a Cisco bug that was disclosed in 2018. That should tell you everything about how this campaign works. Russia's FSB Center 16, tracked variously as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra, is not burning zero-days against critical infrastructure. It is scanning the internet for network devices that were never hardened, pulling their configuration files, and walking in through the front door.
NSA, FBI and CISA led the advisory alongside partner agencies in Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France and Italy. The named target sectors are energy, communications, defense industrial base, healthcare, financial services and state and local government. Confirmed exploitation of the primary vulnerability goes back to at least November 2021, meaning this tradecraft has had roughly five years to accumulate access that defenders have not found.
The Access Path Is Boring, Which Is Why It Works
The operation starts with mass scanning of internet-connected IP ranges looking for routers and switches that answer SNMP queries with default or weak community strings. 'public' and 'private' still work in 2026. Once a device responds, the actors issue commands from spoofed source IP addresses to trick the device into copying its own configuration and pushing it out via TFTP to actor-controlled servers. TFTP has no authentication and no encryption, which is exactly why it is convenient for this.
In parallel, the group exploits CVE-2018-0171, the critical Cisco IOS and IOS XE Smart Install flaw. Smart Install is a zero-touch provisioning feature that is enabled by default on many switch platforms and listens on TCP/4786. If it is reachable from the internet, an unauthenticated attacker can trigger a buffer overflow and execute code or force config disclosure. Cisco published the fix eight years ago. The FSB is still finding devices that never took it.
Why the Config File Is the Real Prize
Losing a router config is not the same as losing a router. A running-config is a map and a keyring at the same time. Depending on the device, it can hand an adversary local account hashes, TACACS and RADIUS shared secrets, IPsec pre-shared keys, SNMP community strings, ACLs that describe your trust boundaries, routing peers, management subnets and interface descriptions that literally label which VLAN belongs to which substation or plant.
That is why this campaign should be read as pre-positioning, not theft. The FSB is not exfiltrating gigabytes of data and tripping DLP alerts. It is quietly building an accurate picture of allied critical infrastructure networks and collecting the credential material needed to return later, on demand, without exploiting anything at all.
If TCP/4786 was internet-reachable at any point since November 2021, or if your edge devices answered SNMPv1/v2c with a guessable community string, treat every credential in those configs as burned. Patching now does not rotate the TACACS keys, VPN pre-shared keys and local passwords the actors already have. Rotate them, then hunt for the reuse.
Detection: Look for the Copy, Not the Exploit
The exploit itself is fast and may be long gone from your logs. The behavioral artifacts are more durable. Focus hunting on the following:
- Outbound TFTP (UDP/69) from network infrastructure to any external destination. There is almost never a legitimate reason for a production edge router to TFTP a file to the internet.
- Inbound connections to TCP/4786 (Smart Install) from outside your management network, and any Smart Install client activity on devices you never intended to provision that way.
- SNMP GET/SET traffic from unexpected source addresses, particularly spoofed sources, and any SNMP write access that should not exist.
- Unexplained 'copy running-config' or 'copy startup-config' events, config archive gaps, and TFTP/FTP server definitions added to device configs.
- New or modified local accounts, ACL changes, GRE tunnels or altered TACACS server entries on edge devices, which indicate the actors moved from collection to persistence.
The Mitigation List Is Short and Old
The advisory's guidance is not novel, and that is the point. Disable Smart Install entirely with 'no vstack' unless you are actively provisioning, and confirm it stays off after reboots and image upgrades. Retire SNMPv1 and SNMPv2c in favor of SNMPv3 with authentication and encryption. Where SNMP must remain, enforce unique, strong community strings and lock access to an explicit ACL of management hosts. Block SNMP and TFTP inbound and outbound at edge firewalls.
Then do the part nobody wants to fund: update firmware across the fleet and replace end-of-life devices. A switch that no longer receives Cisco software maintenance is a permanent hole in the perimeter, and Center 16 has demonstrated a five-year appetite for finding exactly those.
Most organizations that get hit here are not negligent about servers. They are negligent about switches. Endpoint fleets have EDR, patch SLAs and an owner; the network layer often has none of the three. Put edge and core network devices under the same vulnerability management, config-drift monitoring and credential rotation program you already run for hosts, and this entire class of intrusion collapses.
What to Do This Week
Inventory every Cisco IOS and IOS XE device with any path to the internet and confirm the CVE-2018-0171 patch state. Scan your own external ranges for TCP/4786 and UDP/161 before someone else does. Pull current configs and diff them against your last known-good archive, looking for the persistence indicators above. Rotate device credentials and shared secrets if exposure is plausible, and put an expiry date on the end-of-life hardware still sitting at your perimeter.
Eighteen agencies do not co-sign an advisory about an eight-year-old vulnerability because it is academically interesting. They do it because the access is real, it is ongoing, and it is sitting inside networks that keep the lights on. The fix has existed since 2018. Nothing is stopping you from applying it except the fact that nobody has been made responsible for it.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us