Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

NCSC names FSB Centre 16 over routers

2 min read
08:46UTC

NCSC and 18 partner agencies named Russia's FSB Centre 16 over an SNMP router-hijacking campaign, a different service from the GRU unit named in April.

TechnologyDeveloping
Key takeaway

Centre 16's SNMP campaign makes router hygiene a UK critical-infrastructure defence task, not a back-office chore.

NCSC, the UK's National Cyber Security Centre, and 18 partner agencies named Russia's FSB Centre 16 in a joint router-hygiene advisory published on Thursday 9 July, according to secondary coverage of the alert 1. The advisory attributes a campaign that hijacks the Simple Network Management Protocol (SNMP), the service administrators use to monitor and configure network gear remotely, to harvest device data and reconfigure routers. It names communications, energy, healthcare, defence and financial-services operators as targets.

An April advisory named a different Russian service. That earlier alert attributed DNS hijacking on home routers to the GRU's Unit 26165, also tracked as APT28 . Centre 16 sits inside the FSB, Russia's domestic security service, rather than military intelligence, and works through SNMP where APT28 rewrote DNS entries. Both campaigns hit the same network edge from two different Russian agencies.

The joint advisory tells operators to retire legacy SNMP versions 1 and 2c for the authenticated, encrypted SNMPv3, and to restrict management-protocol access to trusted hosts 2. SNMP hygiene rarely reaches a board agenda, yet a second Russian service now treats it as a collection route into critical national infrastructure. For a UK operator, the action is a configuration audit this quarter, not a procurement cycle.

Deep Analysis

In plain English

NCSC, the UK's cyber-security agency, joined 18 partner agencies on 9 July to publicly blame Russia's FSB Centre 16 for hijacking routers through SNMP, an old protocol used to monitor and manage network equipment. Many devices still ship with SNMP switched on and protected only by a simple shared password, called a community string, rather than a proper login. FSB Centre 16 is a separate Russian unit, and this is a separate technique, from the DNS-hijacking campaign NCSC named back in April.

Deep Analysis
Root Causes

SNMP versions 1 and 2c, still enabled by default on much legacy edge-network gear, authenticate with a plaintext community string rather than per-user credentials. Any actor that guesses or intercepts the string, commonly left at a factory default, gets read or write access to routing tables without needing an exploit at all.

That is why FSB Centre 16 could run a sustained campaign against unpatched infrastructure: the weakness is a configuration default carried over from 1990s protocol design, not a software vulnerability Fortinet or any single vendor could patch away.

First Reported In

Update #10 · One operator worked both ransomware brands

NCSC and 18 partner agencies· 14 Jul 2026
Read original
Causes and effects
This Event
NCSC names FSB Centre 16 over routers
A second Russian intelligence service now treats router management protocols as a collection route into critical national infrastructure.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.