Russian Intelligence Hackers Are Walking Through Unlocked Doors Across Global Critical Infrastructure
A 23-nation advisory led by Australia's ASD warns that FSB-linked hacking groups have spent more than a decade quietly exploiting factory-default passwords on network devices inside hospitals, banks, and government agencies.

The Australian Signals Directorate published a joint advisory this week alongside the United States National Security Agency, the United Kingdom's NCSC, and partner agencies from Canada, New Zealand, France, Finland, Denmark, and roughly fifteen other countries, warning that hacking groups tied to Russia's Federal Security Service (FSB) are actively targeting critical infrastructure worldwide.
The method is almost laughably simple. Attackers scan the open internet for routers that still use factory-set default credentials. No zero-day exploit required. No custom malware needed. Guess the password, walk in, copy what you need, and leave quietly.
Who Is Doing This, and How Long Has It Been Going On?
The advisory names several hacking clusters researchers have tracked under different labels: Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. Security analysts generally treat these as overlapping names for the same broad FSB-linked operator base. The campaign is not new. These groups have been active for more than a decade, patiently accumulating access rather than triggering alarms.
Alastair MacGibbon, former head of the Australian Cyber Security Centre, described the approach plainly. "It's not sophisticated, but it works really well," he told ABC News Australia. "It's the equivalent of walking around the internet and rattling the doors of organisations to see if they've been essentially left in a factory setting."
That framing matters. Defenders sometimes imagine nation-state attackers as all-seeing technical wizards. In reality, a significant share of their success comes from organisations simply never changing a default password.
Which Sectors Are Most at Risk?
The advisory flags financial services, healthcare, defence, and communications as primary targets. State and local government agencies are called out as especially exposed, because they hold tax records, welfare information, and licensing data for millions of citizens, but often operate with smaller security teams and older network hardware than federal counterparts.
Consider what a breach inside a hospital network actually means in practice: delayed patient records, disrupted care coordination, and exposure of sensitive health data. A foothold in a municipal government network can sit dormant for months while operators harvest credentials and map internal systems. The ASD's own reporting shows a cybercrime report is filed in Australia approximately every six minutes. Volume like that is not random noise. It reflects systematic, ongoing probing.
The Technical Failure Is a Human Failure First
The root cause here is not exotic malware or a sophisticated supply-chain attack. It is a failure of basic identity hygiene: network devices deployed with factory credentials still intact, often because the person who set up the hardware did not know, or was not trained to know, that changing those credentials is a non-negotiable first step.
This is where the NIST Cybersecurity Framework is explicit. The "Protect" function covers identity management and access control as foundational controls. Leaving default passwords active on internet-facing devices violates both the letter and the spirit of that guidance. The fix is not expensive. It is a configuration change that takes minutes.
Security-awareness training plays a direct role here: when IT staff and the employees who procure or deploy network equipment understand *why* default credentials are dangerous, change-management procedures actually get followed rather than skipped under deadline pressure.
Organisations looking to close this exact gap can explore training options built around real incident patterns rather than generic compliance tick-boxes.
What Controls Failed, and What Should Defenders Learn?
Four control failures appear repeatedly across incidents matching this pattern.
First, asset visibility. Many organisations do not know which routers and switches are internet-facing. You cannot protect what you cannot see. A network scan using a tool like Shodan, or a formal asset inventory review, will surface devices exposed to the open internet that staff assumed were behind a firewall.
Second, credential hygiene at procurement. Default passwords should be changed before a device ever connects to a production network, not weeks later after deployment pressures ease. Procurement policies should make this a mandatory step with a sign-off requirement.
Third, firewall placement. The advisory recommends placing routers behind a firewall so that external internet traffic cannot reach internal equipment directly. Many smaller government agencies and healthcare networks skip this step because the initial setup seems functional without it.
Fourth, patch cadence. Once an attacker has initial access via a default password, the next step is often exploiting a known, patched vulnerability to move laterally inside the network. Organisations that apply software updates promptly close that secondary door even if the first one was briefly open.
The Verizon Data Breach Investigations Report has consistently found that the majority of breaches exploit either stolen credentials or unpatched known vulnerabilities, not novel attack techniques. The FSB-linked campaigns described in this advisory fit that pattern precisely.
What Should Your Organisation Do This Week?
The advisory is specific about remediation priorities. Change default passwords on every network device in your environment. Apply available firmware and software updates. Confirm that routers and switches are not directly reachable from the public internet. Log authentication attempts on network devices and alert on repeated failures.
If you manage IT for a state or local government agency, a healthcare network, or a financial services firm, the single most actionable question to ask today is this: has anyone audited the credentials on every router and switch we own since the hardware was installed? If the honest answer is no, that audit needs to happen before the end of the week.
Organisations that want a structured way to assess their exposure can review the control frameworks and training options available at Train2Secure and start building the institutional habits that prevent campaigns like this one from succeeding.
How this could have been prevented
- Enforce a mandatory credential-change policy for all network hardware before it connects to a production environment, with a documented sign-off step.
- Run quarterly asset-visibility scans to identify routers and switches that are reachable from the public internet and confirm firewall placement is correct.
- Train IT staff and procurement teams on identity hygiene fundamentals so that default-credential risk is understood and eliminated at the point of deployment, not discovered months later during an incident.
Train2Secure offers scenario-based security-awareness training built around real attack patterns like this one, so your team learns to close the gaps that adversaries actually exploit.
Start free, no card requiredSources & further reading
Frequently asked questions
Why are Russian hackers targeting routers with default passwords instead of using advanced exploits?
Because it works. Scanning the internet for devices with factory credentials still active requires no specialised skills and succeeds far more often than most organisations expect. Nation-state groups use the simplest available method first, reserving expensive zero-day exploits for hardened targets.
Which hacking groups are named in the ASD advisory?
The advisory identifies Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. Security researchers generally treat these as overlapping labels for FSB-linked operator clusters rather than entirely separate groups.
What is the fastest practical step an organisation can take to reduce exposure from this campaign?
Audit and change the credentials on every router and network switch in your environment, starting with any device that is internet-facing. Confirm those devices sit behind a firewall so external traffic cannot reach them directly. This takes hours, not weeks, and eliminates the primary attack vector described in the advisory.
Are small government agencies really a target for Russian intelligence hackers?
Yes. The advisory explicitly flags state and local government agencies as particularly vulnerable because they hold large volumes of citizen data but typically operate with smaller security teams and older hardware. Smaller footprint does not mean lower risk when the attack method requires no sophistication.



