Cybersecurity agencies from the United Kingdom, the United States, Australia, Canada, and several allied nations have issued a joint warning about an ongoing Russian cyber campaign targeting critical infrastructure organizations worldwide.
New reporting from Cybersecurity News highlights that the activity has been attributed to Russian Federal Security Service (FSB) Center 16, also tracked under names such as Berserk Bear, Dragonfly, Crouching Yeti, Energetic Bear, Ghost Blizzard, and Static Tundra. According to the advisory, the attackers are compromising poorly secured networking devices to gain long-term access into critical infrastructure environments.
Rather than exploiting sophisticated zero-day vulnerabilities, the campaign focuses on taking advantage of weak security practices that still exist across many enterprise and operational networks.
According to the advisory, the attackers begin by scanning internet-facing infrastructure for vulnerable networking devices.
Their primary targets include routers and network appliances that:
Instead of attacking endpoints directly, the attackers first compromise the network infrastructure that connects them.

Once access is obtained, the attackers retrieve router configuration files containing valuable network information.
The advisory explains that these configuration files may contain:
This intelligence helps attackers better understand the victim’s environment before moving deeper into the network.
Why Routers Have Become Prime Targets
Routers rarely receive the same attention as endpoints or servers, yet they occupy one of the most privileged positions inside an enterprise network.
Compromising a router allows attackers to:
Because networking devices often operate continuously for years with limited monitoring, they can become ideal persistence points for nation-state actors.
One of the most notable aspects of this campaign is that it relies primarily on misconfigurations rather than advanced exploits.
According to the advisory, the attackers abuse:
This demonstrates that many successful nation-state operations continue to exploit basic security weaknesses instead of relying exclusively on sophisticated malware.
Protecting critical infrastructure requires continuous visibility across network devices, authentication events, endpoint activity, and infrastructure communications.
Seceon’s aiSIEM / CGuard helps organizations:
By correlating activity across the environment, Seceon helps expose long-term reconnaissance and persistence attempts that might otherwise remain unnoticed.
Seceon’s aiXDR-PMax extends visibility beyond the network by helping detect:
This enables security teams to detect attackers as they transition from network infrastructure into enterprise systems.
Because the advisory specifically focuses on critical infrastructure organizations, Seceon’s aiSecOT 360 provides additional visibility into operational environments by helping organizations:
This is especially valuable for sectors such as energy, utilities, transportation, manufacturing, and other organizations operating critical infrastructure.

The joint advisory from the UK and its allies reinforces an important cybersecurity lesson. Nation-state actors do not always rely on sophisticated exploits to achieve their objectives. In many cases, weak configurations and overlooked infrastructure provide everything they need.
As networking devices continue serving as the backbone of enterprise and critical infrastructure environments, they must receive the same level of monitoring and security attention as endpoints and servers.
Organizations that continuously monitor infrastructure behavior, harden network devices, and rapidly identify abnormal activity will be significantly better positioned to defend against long-term nation-state campaigns.
