The National Security Agency warned in a joint advisory Monday that Russian state-sponsored hackers are targeting vulnerable networking devices to compromise critical infrastructure sectors across the globe.
Hackers linked to the Russian Federal Security Service Section 16 are exploiting poorly configured and vulnerable Cisco Smart Install devices to compromise targets across a range of industries, according to the NSA.
The hackers are tracked under the name Berzerk Bear or Dragonfly.
Cisco networking devices have been a frequent target of state-linked and criminal actors in recent years, as they provide deep access to critical systems.
The attacks previously targeted vulnerabilities in end-of-life devices, including a denial-of-service vulnerability tracked as CVE-2018-0171, in Cisco IOS and Cisco IOS XE software. In addition, a cross-site request vulnerability, tracked as CVE-2008 -4128, has been targeted.
According to a 2025 FBI advisory, the Russia-backed actor has targeted Simple Network Management Protocol and end-of-life devices with unpatched vulnerabilities and collected configuration files on thousands of devices in the U.S.
Officials last year urged users to change default passwords, remove the devices from the open internet and secure remote access.
U.K. and European Union authorities on Monday announced sanctions against 24 people and organizations in connection with the threat activity. Officials said Russian intelligence officials recruited criminal hackers to participate in a range of threat activity.
U.K. and EU authorities linked the hackers to an attack targeting Poland’s energy grid. The attack failed, but officials said 500,000 people could have lost power if the attack had been successful.
In an advisory joined by the FBI, the Cybersecurity and Infrastructure Security Agency and international partner agencies, U.K. officials last month said state-sponsored hackers are linked to a majority of the major attacks targeting critical infrastructure in that country.