The US government warns that Russia state hackers are coming after your router

Ars Technica News

Summary

The US government warns that Russian state hackers are targeting poorly configured home and small office routers to build botnets for cyber attacks against critical infrastructure, with CISA issuing a joint advisory.

<p>The federal government is warning users of home and small office routers to secure their devices as Russia state hackers continue to mass-compromise them for use in obscuring nefarious actions against sensitive organizations in the public and private sectors.</p> <p>Both the <a href="https://arstechnica.com/security/2026/04/russias-military-hacks-thousands-of-consumer-routers-to-steal-credentials/">Russian</a> and <a href="https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/">Chinese</a> governments have been compromising routers for years, sometimes in <a href="https://arstechnica.com/security/2024/05/hacker-free-for-all-fights-for-control-of-home-and-office-routers-everywhere/">prolonged tugs-of-war</a> to wrest control of devices the other has already commandeered. The US government has occasionally issued <a href="https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/">covert commands</a> and taken other steps to disinfect routers. Google and other companies have also <a href="https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network">worked</a> to <a href="https://cloud.google.com/blog/topics/threat-intelligence/google-continued-disruption-residential-proxy-networks">disrupt</a> the massive botnets that control compromised routers in lockstep. The actions to date are little more than whack-a-mole exercises as the operators simply replace their botnets with new ones.</p> <h2>Proxy networks: The go-to tool</h2> <p>“Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks,” the Cybersecurity and Infrastructure Security Agency <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a">said</a> Monday. The hacking groups are tracked under various names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. The advisory was co-issued by governments from around the world, including Australia, Denmark, New Zealand, and the UK.</p><p><a href="https://arstechnica.com/security/2026/07/the-us-government-warns-that-russia-state-hackers-are-coming-after-your-router/">Read full article</a></p> <p><a href="https://arstechnica.com/security/2026/07/the-us-government-warns-that-russia-state-hackers-are-coming-after-your-router/#comments">Comments</a></p>
Original Article
View Cached Full Text

Cached at: 07/14/26, 04:16 AM

# The US government warns that Russia state hackers are coming after your router Source: [https://arstechnica.com/security/2026/07/the-us-government-warns-that-russia-state-hackers-are-coming-after-your-router/](https://arstechnica.com/security/2026/07/the-us-government-warns-that-russia-state-hackers-are-coming-after-your-router/) The federal government is warning users of home and small office routers to secure their devices as Russia state hackers continue to mass\-compromise them for use in obscuring nefarious actions against sensitive organizations in the public and private sectors\. Both the[Russian](https://arstechnica.com/security/2026/04/russias-military-hacks-thousands-of-consumer-routers-to-steal-credentials/)and[Chinese](https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/)governments have been compromising routers for years, sometimes in[prolonged tugs\-of\-war](https://arstechnica.com/security/2024/05/hacker-free-for-all-fights-for-control-of-home-and-office-routers-everywhere/)to wrest control of devices the other has already commandeered\. The US government has occasionally issued[covert commands](https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/)and taken other steps to disinfect routers\. Google and other companies have also[worked](https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network)to[disrupt](https://cloud.google.com/blog/topics/threat-intelligence/google-continued-disruption-residential-proxy-networks)the massive botnets that control compromised routers in lockstep\. The actions to date are little more than whack\-a\-mole exercises as the operators simply replace their botnets with new ones\. ## Proxy networks: The go\-to tool “Russian Federal Security Service \(FSB\) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks,” the Cybersecurity and Infrastructure Security Agency[said](https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a)Monday\. The hacking groups are tracked under various names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra\. The advisory was co\-issued by governments from around the world, including Australia, Denmark, New Zealand, and the UK\. The primary means of compromise the agency warned about was hackers scanning IP ranges with active Simple Network Management Protocol \(SNMP\) agents that accept common or default authentication credentials\. These scans are run by the very sorts of router botnets the actors are trying to enroll the targeted device in\. By sending malicious traffic from spoofed addresses, the hackers can use the SNMP agent on poorly configured routers to run malware\. SNMP[allows](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol)users to collect and organize information about managed networking devices or to modify that information to change device behavior\.

Similar Articles

Russia Hacked Routers to Steal Microsoft Office Tokens

Krebs on Security

Russian state-backed hackers (Forest Blizzard/APT28) used known vulnerabilities in old routers to hijack DNS settings and steal OAuth authentication tokens from Microsoft Office users, compromising over 200 organizations and 5,000 consumer devices without deploying malware.

Cybercriminals Are Making Powerful Hacking Tools With AI, Google Warns

Reddit r/artificial

Google warns that cybercriminals and nation-state actors are increasingly using AI to rapidly develop sophisticated hacking tools, including the first confirmed AI-generated zero-day exploit. The report highlights how AI lowers the technical barrier for cyberattacks, enabling even low-skilled hackers to execute complex operations.

Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

Krebs on Security

U.S., Canadian, and German authorities have dismantled four IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that compromised over three million devices and launched record-breaking DDoS attacks, including against the Department of Defense.

Anti-DDoS Firm Heaped Attacks on Brazilian ISPs

Krebs on Security

KrebsOnSecurity reports that a Brazilian anti-DDoS firm, Huge Networks, was compromised and its infrastructure used to launch massive DDoS attacks against other Brazilian ISPs via a botnet of insecure routers and DNS servers.