A joint advisory from CISA, the FBI, the NSA, and international partners urges healthcare organizations to secure vulnerable networking devices against Russian state-sponsored actors.


The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency, the Federal Bureau of Investigation (FBI), and international partners, released a joint cybersecurity advisory regarding Russian state-sponsored cyber activity. The advisory warns that threat actors are targeting vulnerable networking devices across critical infrastructure sectors, including healthcare and public health.

The advisory, titled “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting,” highlights how actors primarily leverage poorly configured routers to gain unauthorized access and exfiltrate sensitive data. According to the report, these actors also exploit common vulnerabilities and exposures to facilitate malicious activity.

“CISA continues to work with domestic and global partners to highlight the ongoing threat of nation-state actors targeting vulnerable network devices,” says Chris Butera, acting executive assistant director for cybersecurity at the CISA, in a release. “The advisory provides a timely and urgent reminder of actions for critical infrastructure owners and operators to counter Russian state-sponsored activity.”

According to the FBI, these actors have spent years extracting configuration data from networking equipment.

“This advisory gives network defenders the visibility to spot this activity and the mitigations to counter it,” says Brett Leatherman, assistant director of the Federal Bureau of Investigation cyber division, in a release. “The FBI will work with our partners to continue to expose this tradecraft and hold these actors accountable.”

Mitigation and Remediation Strategies

The joint advisory outlines several actionable steps for organizations to reduce the risk of exploitation and reduce their attack surface. Recommended measures include:

  • Restricting access to management interfaces and firewall devices,
  • Adopting stronger authentication and data encryption protocols,
  • Securing weak and vulnerable internet-facing systems, and
  • Monitoring for suspicious activity.

Sean Tufts, field chief technology officer at Claroty, says in a statement that routers are often overlooked in operational technology environments where uptime is prioritized over routine maintenance, leaving many organizations with aging equipment.

“A stolen router configuration file gives attackers far more than access to a single device. It can reveal network topology, trusted connections, VPN settings, and even credentials, allowing them to move through a network quietly instead of searching for a way in,” says Tufts.

Tufts explains that Russian intelligence actors typically establish access, map the environment, and maintain persistence for future espionage or disruption. He recommends that organizations treat exposed configurations as a compromise by rotating credentials, validating configurations against known baselines, and looking for signs of persistence.

While keeping software updated is a necessary step, Tufts suggests that network architecture plays a significant role in security.

“Patching is important, but segmentation is what truly limits the impact,” says Tufts. “If a compromised router can reach an entire operational network, that is the architectural weakness organizations need to address.”

ID 154742479 © Pop Nukoonrat | Dreamstime.com