Home Routers Remain Prime Target in Persistent FSB Infrastructure Campaign
Federal agencies across five nations issue coordinated alert as Russia's Center 16 exploits poorly secured edge devices to mask intrusions into critical infrastructure.

The Persistent Edge Problem
Consumer routers and small-office networking equipment have become persistent entry points for state-sponsored operators seeking to obscure their movements. On Monday, the Cybersecurity and Infrastructure Security Agency, alongside counterparts from Australia, Denmark, New Zealand, and the United Kingdom, issued a coordinated advisory focused on ongoing exploitation by Russia's Federal Security Service Center 16. The operators, tracked under aliases including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra, continue to opportunistically compromise vulnerable and misconfigured devices across multiple critical infrastructure sectors worldwide, according to CISA.
At DailyTechWire, we've tracked router compromises as a fixture of state-level cyber operations for years. The dynamic is straightforward: edge devices sit at the boundary of networks, often ship with weak default credentials, rarely receive firmware updates, and provide attackers with anonymized proxies to route traffic through. For espionage operators, a compromised router in a suburban home or a regional accounting office offers far more operational value than sophisticated malware on a hardened corporate server. It's infrastructure that hides infrastructure.
Why Routers, Why Now
The appeal of consumer and SOHO (small office/home office) routers as operational assets is rooted in their ubiquity and neglect. Millions of devices remain online with factory-set passwords, unpatched vulnerabilities dating back months or years, and no visibility into device logs or traffic patterns. For FSB Center 16 and similar units, these devices function as distributed anonymization layers. An intrusion into a utility network or government contractor can be routed through dozens of compromised home routers across continents, making attribution and blocking significantly harder.
The coordinated advisory underscores a shift in government messaging. Rather than focusing solely on enterprise hardening, agencies are now explicitly calling out the security posture of edge devices that individual users control but rarely monitor. The implication is clear: the weakest link in critical infrastructure defense is often a router sitting in someone's living room or back office, far removed from any corporate security operations center.
A Cycle Without Resolution
This is not the first time governments have issued warnings about router compromises, nor is it likely to be the last. Both Russian and Chinese state operators have engaged in prolonged campaigns to compromise, re-compromise, and contest control over the same device populations. In some cases, operators from one nation have overwritten or displaced the footholds of another, turning individual routers into contested digital real estate.
The U.S. government has occasionally responded with covert operations to remotely disinfect compromised devices, issuing commands to purge malicious firmware or close backdoors. Technology companies, including Google, have undertaken disruption efforts targeting the command-and-control infrastructure that coordinates large-scale router botnets. Yet these interventions have proven temporary at best. Operators simply rebuild their botnets, targeting new device models, exploiting newly disclosed vulnerabilities, or re-compromising devices that were cleaned but never properly secured.
The result is a persistent cycle: compromise, disruption, reconstitution. The economics favor the attackers. Building a botnet of compromised routers requires modest resources and exploits vulnerabilities that manufacturers and users are slow to address. Disrupting that botnet requires significant coordination, legal authority, and technical effort, and the impact lasts only until the next wave of exploitation begins.
What's at Stake for Infrastructure Operators
The advisory highlights that Center 16 actors are targeting critical infrastructure sectors, using compromised routers as proxy networks to obscure intrusions. This is not espionage for espionage's sake. Gaining persistent access to utility networks, transportation systems, or industrial control environments provides strategic options: intelligence collection, pre-positioning for future disruption, or mapping dependencies that could be leveraged in a crisis.
For infrastructure operators, the challenge is visibility. A login attempt or data exfiltration event that originates from a compromised home router in a different country appears, on the surface, like routine internet traffic. Blocking individual IP addresses is ineffective when attackers can cycle through thousands of proxies. Detecting anomalous behavior requires deeper inspection of traffic patterns, session characteristics, and lateral movement within networks, capabilities that many organizations still lack.
The User Dilemma
For individual users, the guidance is familiar but difficult to enforce: change default credentials, enable automatic firmware updates if available, disable remote management features, and replace devices that no longer receive vendor support. The problem is that most users have no reason to think about their router as a security device. It's a box that provides internet access, and as long as the Wi-Fi works, there's little incentive to log in, check for updates, or review settings.
Manufacturers bear responsibility as well. Many consumer routers ship with minimal security defaults, unclear update mechanisms, and short support lifecycles. A device purchased three years ago may no longer receive patches for newly discovered vulnerabilities, leaving users with the choice of replacing functional hardware or accepting risk they may not even be aware of. Industry-wide standards for secure-by-default configurations and extended firmware support remain inconsistent.
What Comes Next
The coordinated advisory signals that router compromises are now a sustained policy concern for multiple governments, not just a technical nuisance. Whether this translates into regulatory pressure on manufacturers, expanded disruption operations, or new frameworks for securing edge devices remains to be seen.
What is clear is that the current equilibrium is untenable. As long as millions of poorly secured routers remain online, state operators will continue to exploit them as low-cost, high-value infrastructure. Addressing that reality will require more than periodic warnings. It will require rethinking how consumer networking equipment is designed, sold, supported, and eventually retired. Until then, the cycle of compromise and disruption will continue, with home routers remaining a quiet but persistent vulnerability in the architecture of critical infrastructure defense.


