Forgot your password?
typodupeerror
Security Government Privacy United States Wireless Networking

US Government Warns That Russia State Hackers Are Coming After Your Router (arstechnica.com) 34

CISA and allied governments are warning users to secure their routers as Russian state-backed hackers continue compromising the devices and turning them into proxy nodes to disguise attacks against critical infrastructure. The advisory urges users to disable outdated SNMP versions, use strong passwords, update firmware, and turn off unnecessary router services to reduce the risk of being swept into these botnets. Ars Technica reports: "Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks," the Cybersecurity and Infrastructure Security Agency said Monday. The hacking groups are tracked under various names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. The advisory was co-issued by governments from around the world, including Australia, Denmark, New Zealand, and the UK.

The primary means of compromise the agency warned about was hackers scanning IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default authentication credentials. These scans are run by the very sorts of router botnets the actors are trying to enroll the targeted device in. By sending malicious traffic from spoofed addresses, the hackers can use the SNMP agent on poorly configured routers to run malware. SNMP allows users to collect and organize information about managed networking devices or to modify that information to change device behavior.

With control of a device, the hackers then use it as an exit node when probing or attacking targets in the communications, defense, energy, financial services, and government sectors. By funneling the malicious traffic through a benign-appearing device on a trustworthy IP address, the attackers are able to lower the chances of getting blocked by firewalls and other security defenses. Monday's advisory made no mention of identical operations carried out in recent years by China. So-called residential proxies are also a go-to tool used by financially motivated criminal hackers to obscure their true IP address. In many cases, these sorts of proxies are made up of millions of streaming devices that are sold with preloaded malware.

US Government Warns That Russia State Hackers Are Coming After Your Router

Comments Filter:
  • standard practice (Score:3, Informative)

    by DrMrLordX ( 559371 ) on Monday July 13, 2026 @06:04PM (#66237018)

    Aren't vulnerable routers the backbone of most botnets?

    • This is more about slipping through your firewall and getting unauthenticated snmp info, to learn more and eventually get to data. This is nothing new.

  • by sdinfoserv ( 1793266 ) on Monday July 13, 2026 @06:17PM (#66237030)
    Nothing new here, it's been going on for years. But it gives Lord Trumpkin and his butt sucking lackies another talking to point to distract from the Epstein files.
  • by Gravis Zero ( 934156 ) on Monday July 13, 2026 @06:23PM (#66237040)

    Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide

    My only question is why the state isn't proactively identify and deactivating such devices. Seriously, if your shitty device is a threat then I see no reason that it cannot also be forcibly taken offline. People will not give a damn about security no matter how much you implore them (they haven't for decades), so it's time for the stick.

    • by sarren1901 ( 5415506 ) on Monday July 13, 2026 @06:43PM (#66237064)

      Don't the ISPs own the wires? If so, then I would expect the state to first tell the ISP to clean up their properties. Have them show due diligence in getting their customers to update or replace (with what, from who?) their router before eventually kicking it off the network.

      My last cable ISP supplied a router/modem combo that they could configure to be secure by default. For the most part, it was. It didn't have a lot of features and I didn't care for it's overall design but it did work.

      My current ISP is starlink and they provide the receiver and router as well.

      I imagine the vast majority of router's that are Internet/ISP facing are issued by ISPs themselves as your average user doesn't go buy their own. Even us nerds, we buy our own but depending on our ISP, it's still behind their router/modem device in the path from client to Internet.

      So if ISPs are issuing the majority of devices, it would make the most sense for the state to be working with these ISP on updating the default settings and pushing out updates or otherwise helping customers update their gear. Let's hop to it people!

      • by PPH ( 736903 )

        Even us nerds, we buy our own but depending on our ISP, it's still behind their router/modem device in the path from client to Internet.

        In which case, the most an ISP can do if they detect an unsecured device on the customer side of their modem is to cut off service.

        Lots of Windows systems will be going dark soon. Too bad you didn't upgrade when the latest OS release came down the pipe. Your new system will be available as soon as we find some DRAM.

    • It seems like government overreach to go after commercial routers. National security has to be related to the military or government in some way. Their systems should stop the bots rather than banning commercial routers. They have no right to simply declare certain routers to be insecure. Companies can corruptly bribe an administration to allow their routers and block their competitors.
    • by Anonymous Coward

      The psy-ops guys would have a field day with that. "OMG, the US government is killing your internet". It also opens up a can of worms. Next stop after that is NAC, where to be allowed onto an ISP, your router has to pass measured checks... which means no F/OSS routers, but closed source, jailbreak-proof ones... and NAC can easily turn from "checking for latest OS" to active filtering and logging with MITM SSL interception.

  • I am glad I finally retired my older Asus router last year, even though it was running a reflash, and installed a Unifi gateway at home. They seem to be very good with updates. I even turned on the Threat Detection and Blocking (Intrusion Prevention). Then also GeoBlocking (yes, I know they can work around that, but why make it easy?) The nice thing is this little box does everything I had before and TONS more, including running cameras, with no cloud-dependencies and no recurring fees.

    Alas, my contribu

    • Re:Upgrade (Score:4, Informative)

      by Kernel Kurtz ( 182424 ) on Monday July 13, 2026 @07:47PM (#66237134)

      I am glad I finally retired my older Asus router last year, even though it was running a reflash, and installed a Unifi gateway at home. They seem to be very good with updates. I even turned on the Threat Detection and Blocking (Intrusion Prevention). Then also GeoBlocking (yes, I know they can work around that, but why make it easy?) The nice thing is this little box does everything I had before and TONS more, including running cameras, with no cloud-dependencies and no recurring fees.

      Unifi has had several CVSS 10.0 vulnerabilities lately. Quite a lot of those devices are unfortunately still ending up part of botnets.

      https://www.bleepingcomputer.c... [bleepingcomputer.com]

      And a new one last week...

      https://thehackernews.com/2026... [thehackernews.com]

      Nice hardware, but the cloud services bring their own risks.

      • >"Unifi has had several CVSS 10.0 vulnerabilities lately. Quite a lot of those devices are unfortunately still ending up part of botnets. "

        All platforms have vulnerabilities, unfortunately. But from what I can tell, all of those are from the inside. Not from the outside. Every one of them is "with access to the network." So these are not things that are going to give outside attackers the direct ability to break into a Unifi controller on the outside of its firewall.

  • by Anonymous Coward

    There are two countries I am NOT worried about and that is Russia and China, because whatever they find out about me they won't give to the USA. The USA on the other hand will abuse all the information they can get to deprive me of my liberties.

    Anyway sounds like "the lady doth protest too much" to me. As a good loyal subject I'll be sure to replace my router with one with NSA-approved(R) firmware, right away, sir.

  • So, just how are ISP customers, which are provided routers by their ISP, supposed to do this? Shouldn't it be mandated that ISPs are responsible for updating and securing routers? I realize that some ISP customers are tech saavy and wish to configure the routers themselves. For those users a simple opt-out will do. For the remaining 99.999% of users the ISP should be handling this, right?

  • We were doing this decades ago :
    https://www.businessinsider.co... [businessinsider.com]

  • I don't have time to keep track of security updates for my router, apply them, and check now and then to make sure it hasn't been compromised. Comcast has the infrastructure and people to do it all themselves. I don't have to think about it at all.

    Of course it's probably the only thing Comcast can do right, but I think most people on Slashdot have heard that story a million times so I won't go there!

  • That's what I get when trying to access www.cisa.gov from Firefox (currently supported ESR version). Of course it works fine in web browsers from deep-pocketed cowtowing corporate companies. Makes you wonder. Hmmm.

  • Any router running SNMP or a web interface configured to listen on the external (WAN) port should be considered defective and replaced (or reflashed to sane non-braindead firmware). Home networks don't need SNMP at all, and business networks not using enterprise-grade equipment probably don't need it with write enabled. The only access to the router from the WAN side should be SSH using public-key authentication, and that only if you absolutely need it (you probably don't). That solves the vast majority of

  • DOH - don't connect your critical infrastructure directly to the Internet - DOH
  • ...but im going to go ahead and be more worried about one of the US governments 17 intelligence agencies sucking up all my data and storing it in a Utah data center until they feel like prosecuting me for something while lying to anyone with a concern about their intent. Thomas Drake, Mark Klein, and Edward Snowden amongst many others deserve medals.

He's like a function -- he returns a value, in the form of his opinion. It's up to you to cast it into a void or not. -- Phil Lapsley

Working...