Tue 14 Jul 2026 / 09:28 ET
Kernel
Internet 3 min read

US warns Russian state hackers are hijacking routers as proxies

CISA says FSB-linked groups are exploiting poorly configured networking gear to mask attacks on sensitive public and private networks.

June Castellano

By June Castellano / Platforms & Power Reporter

US warns Russian state hackers are hijacking routers as proxies
img: Ars Technica

US cybersecurity officials are warning owners of home and small-office routers to lock down their gear because Russian state-backed hackers are still turning those devices into cover for attacks on more sensitive targets.

The Cybersecurity and Infrastructure Security Agency said Monday that hackers tied to Russia’s Federal Security Service, specifically FSB Center 16, are exploiting vulnerable and poorly configured networking devices around the world. CISA said the same activity has hit multiple critical infrastructure sectors.

“Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks,” CISA said in an advisory co-issued with agencies from Australia, Denmark, New Zealand and the UK.

The groups involved are tracked under several names, according to CISA, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra. Those labels matter less to a router owner than the job the compromised box performs: it becomes a convenient hop in a proxy network, making malicious traffic look like it came from an ordinary residential or small-business internet connection rather than Russian state infrastructure.

Routers make useful cover

Routers are attractive targets because many sit exposed for years with weak settings, old firmware or known bugs. Once compromised, they can be folded into botnets that route traffic for credential theft, intrusion attempts or other operations against public- and private-sector organizations. The hacked router is not necessarily the final target. It is often plumbing.

CISA’s warning fits a pattern that US officials and security companies have been tracking for years. Russian and Chinese government-linked operators have both compromised routers at scale, and at times have fought over the same devices after one side had already taken control. The result is a grim little landlord dispute inside consumer networking hardware.

The US government has previously taken more direct action, including issuing covert commands to disinfect compromised routers. Google and other companies have also worked to disrupt botnets built from hijacked residential and small-office devices. Those efforts have had limits. According to prior reporting and public accounts of those operations, operators often rebuild by enrolling fresh devices after takedowns.

The practical warning from the government is narrower than the geopolitics: users of home and small-office routers should secure those devices. CISA’s advisory points to the same basic failure mode behind many of these campaigns, poorly configured and vulnerable networking equipment left reachable long enough for state operators to conscript it.

That makes the router in a closet or under a desk part of a larger problem. It may still pass Netflix traffic and Zoom calls as usual, while also helping hide activity aimed at critical infrastructure or other sensitive networks. For attackers, that is the appeal. For everyone else, it is another reason the cheap box at the edge of the network deserves more attention than it usually gets.

This story draws on original reporting from Ars Technica.

More Internet/

view all ↗