Russian router campaign reaches the defence factory edge

Russian router campaign reaches the defence factory edge

Allied agencies warn Russian operators are targeting defence network edges. The campaign places asset visibility, router configuration, supplier access, unsupported hardware, and production continuity inside the same industrial-security problem.


IN Brief:

  • UK and allied agencies have warned that Russia’s FSB Centre 16 is targeting network-edge equipment.
  • Defence, communications, energy, government, finance, and healthcare organisations are among the exposed sectors.
  • Manufacturers need stronger inventories, secure management protocols, patching, credential control, segmentation, and supplier assurance.

UK and allied cyber authorities have warned defence manufacturers and critical-infrastructure operators to strengthen routers and other network-edge equipment against continuing activity associated with Russia’s FSB Centre 16.

The joint advisory was issued by the National Cyber Security Centre and partner agencies across 12 countries. The responsible group is also tracked under names including Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard, Static Tundra, and Crouching Yeti.

Targets span defence, communications, energy, finance, government, and healthcare, with attackers concentrating on internet-facing infrastructure that may sit outside the most closely monitored areas of an organisation’s security estate.

Scanning activity seeks default or weak Simple Network Management Protocol credentials, exposed Smart Install services, known Cisco vulnerabilities, obsolete web-management functions, and devices that remain connected after vendor support has ended.

Within a defence manufacturer, the vulnerable router may serve a warehouse, test building, satellite office, supplier connection, remote-maintenance point, or older production facility rather than a classified engineering room. Its distance from the most sensitive systems often leaves ownership and monitoring unclear.

Compromised edge equipment can support reconnaissance, traffic interception, credential theft, persistent access, and movement towards internal networks. It can also route later malicious activity through a legitimate organisation, concealing the attacker’s origin.

Manufacturing estates are particularly difficult to secure because equipment remains operational for long periods. A factory may combine modern enterprise systems with operational technology, specialist test rigs, vendor-maintained machinery, old production cells, and network devices installed during several generations of expansion.

Replacing an office router is usually straightforward, whereas replacing equipment connected to test systems, quality records, process controls, or remote vendor support may require planned downtime, revalidation, and coordination among engineering, IT, programme security, and suppliers.

Production pressure encourages deferral. Devices remain online because they continue to perform their basic function, while configuration changes are postponed in case they interrupt output. That effort to preserve stability creates a predictable pool of equipment using weak protocols or unpatched software.

The NCSC has recommended moving to SNMPv3, disabling legacy SNMP where it is unnecessary, applying unique credentials, restricting management access, updating software, and replacing unsupported equipment. Applying those measures across a dispersed industrial group begins with an accurate inventory.

Acquisitions, joint ventures, temporary facilities, locally managed sites, and contractor-installed equipment can leave several competing inventories, none of which reflects the full estate. Model, location, firmware, support status, configuration owner, and operational purpose need to be recorded consistently.

Responsibility frequently falls between organisational boundaries. Corporate IT may regard a device as plant equipment, engineering may view it as part of the communications service, and the machine vendor may assume the customer manages security. Attackers do not need to resolve that ambiguity before exploiting it.

The same structural weakness appeared in state-linked campaigns using routers, firewalls, and other unmanaged devices to build large proxy networks, examined in the coverage of China-linked botnets targeting UK defence organisations. Different operators are finding value in the same neglected layer of infrastructure.

Network hardware should consequently be treated as part of the production baseline. Firmware, credentials, management interfaces, physical location, support dates, and configuration changes deserve controls comparable to those applied to critical manufacturing equipment.

Procurement practices can undermine that discipline. Low-cost routers and switches may enter a site through local purchasing, machine installations, project teams, temporary buildings, or subcontractor work, producing a mixture of models and management methods.

Approved equipment lists and hardened configuration templates reduce variation, although they need enough flexibility to support engineering projects without encouraging users to bypass central processes. Fast access to an approved alternative is often more effective than a prohibition that delays production.

Remote maintenance creates another exposed route. Specialist machinery manufacturers may require access because the necessary expertise is scarce or located overseas. Those connections should be authenticated, monitored, time-limited, and separated from broader factory networks.

Segmentation can contain a compromised device, but diagrams alone provide little assurance. Shared credentials, management services, backup links, cloud connections, and vendor accounts can quietly bridge supposedly separate zones.

Monitoring should extend to the perimeter equipment itself. New management sessions, unexpected configuration changes, abnormal outbound traffic, and attempts to reach internal systems may reveal intrusion, provided devices produce logs and somebody is responsible for reviewing them.

Cybersecurity and manufacturing assurance increasingly overlap. An intrusion can expose drawings, export-controlled data, production schedules, test results, supplier payments, software loads, or quality records, while disruption to network services can stop production without touching an industrial controller directly.

Small suppliers often lack a dedicated security operations centre, yet they remain connected to primes, government portals, shared engineering environments, and programme data. Maintained asset lists, supported hardware, managed monitoring, secure cloud services, and clear escalation routes provide a more realistic baseline than complex controls that cannot be staffed.

Prime contractors also have a role beyond adding clauses to supplier agreements. Shared tooling, practical guidance, threat notifications, and support for remediation can improve the resilience of companies whose specialist manufacturing capability may be difficult to replace.

The campaign relies heavily on known vulnerabilities, old protocols, and weak credentials rather than a single exceptional exploit. Persistent scanning allows attackers to find the minority of devices that remain exposed across a very large population.

Defence manufacturers already invest in controlled facilities, vetted personnel, secure engineering networks, and programme accreditation. Those measures lose value when an unsupported router at the edge offers a quieter path into the organisation.


  • Caterpillar joins the Army’s autonomous breaching contest

    Caterpillar joins the Army’s autonomous breaching contest

    Four teams will develop autonomous breaching systems for the Army. The programme combines heavy machinery, robotic vehicles, modular tools, and beyond-line-of-sight control ahead of an operational assessment planned for 2027.


  • T-7A modernisation arrives before production settles

    T-7A modernisation arrives before production settles

    The US Air Force is planning early T-7A capability upgrades. Navigation resilience, collision avoidance, flight-control changes, emergency support, and cockpit improvements must be introduced while production, certification, and fleet entry continue.