Breaking: Russian FSB Targeting Critical Infrastructure Routers Worldwide — 15 July 2026
Russian FSB Targeting Critical Infrastructure Routers Worldwide — Joint CSA
CISA, NSA, FBI, DC3, and 14 international partners have released a joint cybersecurity advisory warning that Russian Federal Security Service (FSB) Center 16 actors are actively exploiting vulnerable and poorly configured networking devices to infiltrate critical infrastructure across communications, energy, financial services, government, healthcare, and defense sectors globally.
The advisory, "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting," builds on the FBI's August 2025 public service announcement attributing this activity to the FSB. It is not a theoretical risk assessment. The FBI's Assistant Director for Cyber Division, Brett Leatherman, stated that Russian state-sponsored actors "have spent years quietly extracting configuration data from poorly configured routers across critical infrastructure." Years. Quietly. Extracting.
The co-sealing partners tell you the scope: Australia, Canada, New Zealand, UK, Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland, and Sweden. The European presence is significant. The FSB is not just targeting US entities. European energy, government, and financial infrastructure are in the crosshairs. If you operate critical infrastructure in any of these countries, this advisory is addressed to you.
The tradecraft is straightforward but effective. FSB Center 16 leverages poorly configured routers as initial access vectors, exploiting CVEs where available and misconfigurations where they are not. Once inside, they extract device configurations, route traffic, and establish persistent access to facilitate further operations across the target network. The advisory does not name specific CVEs but references known vulnerability exploitation patterns consistent with historical FSB activity.
Mitigations focus on the fundamentals that most organisations still get wrong: restrict management interface access, adopt strong authentication and encryption for network devices, secure internet-facing systems, and actively monitor for suspicious configuration changes and unusual traffic patterns. None of this is new advice. The urgency is in the confirmed, sustained, multi-year campaign behind it.
The timing matters. This advisory lands the same week as the SonicWall SMA1000 zero-day exploitation (CVSS 10.0, active in the wild, on CISA KEV with a July 17 deadline) and the largest Patch Tuesday in Microsoft's history with two actively exploited zero-days. Network perimeter devices are under simultaneous attack from nation-state actors and opportunistic threat groups. Router hygiene is not a hygiene issue. It is the perimeter, and it is being systematically harvested.
So What / Action
Audit every internet-facing network device immediately. Not just routers: switches, VPN concentrators, load balancers, anything with a management interface exposed or reachable from outside. Check for configuration changes you did not make, unexpected admin sessions, and traffic to destinations that do not belong. Implement the mitigations in the joint CSA. If you operate critical infrastructure in any of the 14 partner nations, treat this as a direct warning. The FSB has been inside these networks for years. Assume persistence until you prove otherwise.
This is also the moment to reconcile your patch posture on perimeter devices with this week's SonicWall and Microsoft zero-days. Three separate attack vectors converging on the network edge in the same seven-day window is not coincidence. It is the operational environment now.

