Back to News

NCSC + 18 Allied Agencies Issue Emergency Advisory — FSB Centre 16 Is Actively Scanning UK Routers for Weak SNMP Passwords: What Every UK Business Must Do Today

NCSC + 18 Allied Agencies Issue Emergency Advisory — FSB Centre 16 Is Actively Scanning UK Routers for Weak SNMP Passwords: What Every UK Business Must Do Today

On 13 July 2026, the UK’s National Cyber Security Centre — joined by 18 partner agencies from 12 countries — issued a joint advisory confirming that Russia’s FSB Centre 16 is actively scanning the public internet for business routers running weak or default SNMP credentials and outdated Cisco firmware. The same day, the UK sanctioned 24 Russian individuals and entities and formally attributed the December 2025 attack on Poland’s power grid — which put an estimated 500,000 civilians at risk of losing electricity — to the identical threat group. It is, on any reasonable measure, the most operationally significant router-security warning issued to UK organisations in years.

The uncomfortable part for a UK small or medium-sized business is this: an internet-wide scan does not check your company size, your sector, or your turnover before it knocks on your router. The advisory names a group whose targets include critical national infrastructure, but the technique it describes — probing every reachable device for a default or guessable SNMP community string, an exposed management interface, or an un-patched Cisco appliance — sweeps up the corner accountancy practice, the 30-person logistics firm, and the regional manufacturer in exactly the same pass. If your router is on the public internet with factory credentials or firmware two years behind, you are inside the same net as the power stations. This article explains what the advisory actually says, who FSB Centre 16 is, and what a UK SME should do about its connectivity and network security today — framed around the reality of running a business, not defending a nation state.

18
Allied agencies co-signing the advisory
12
Countries behind the joint warning
24
Russian individuals & entities sanctioned by the UK
£14.7bn
Annual cost of cyberattacks to the UK economy

What the 13 July advisory actually says

The advisory, published under the NCSC banner and co-signed by agencies including the United States’ NSA and CISA and counterparts from Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland and Sweden, is unusually direct. It names FSB Centre 16 — the group tracked across the industry under a string of aliases including Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard and Static Tundra — as conducting a sustained campaign against internet-facing networking equipment. The primary entry points it lists are not exotic zero-days. They are default or weak SNMP community strings, the Cisco Smart Install (SMI) feature left enabled and exposed, and web-portal flaws on management interfaces that were never meant to face the open internet.

Once a device is compromised, the advisory describes a familiar and methodical playbook: exfiltrate the router’s configuration file, harvest the credentials inside it, establish persistent access that survives reboots, and use the foothold to move laterally into the network behind the router. A router is not an incidental target here. It is the front door, the map of the internal network, and often the store of the very credentials an attacker needs to go deeper. Compromise it quietly and you own the traffic, the topology, and frequently the keys to everything downstream.

Alongside the technical detail, the UK Government moved on the diplomatic and legal front the same day. It sanctioned 24 Russian individuals and entities, and it formally attributed the December 2025 attack on Poland’s energy grid — an incident that put around 500,000 civilians at risk of losing power — to FSB Centre 16. Jonathon Ellison, the NCSC’s Director of National Resilience, put the call to action plainly: “I would strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately.” The phrase “all organisations” is doing real work in that sentence.

The immediate risk in one line

If your business router is reachable from the public internet and still uses a default or weak SNMP community string — or runs Cisco firmware that is behind on updates, or has Smart Install enabled — it is exposed to an active, automated scanning campaign right now. This is not a theoretical future threat you can schedule for next quarter. Automated scanners do not queue by company size, and the advisory confirms the campaign is live. The single most valuable thing you can do today is find out, honestly, whether any of those three conditions apply to your equipment.

How we got here: a timeline

The advisory did not appear in a vacuum. It sits at the end of a chain of escalating incidents and policy moves through late 2025 and into the summer of 2026. Reading them in order makes the July warning feel less like a bolt from the blue and more like the predictable next step.

December 2025 — Poland energy grid attack
An intrusion against Poland’s power grid puts an estimated 500,000 civilians at risk of losing electricity. At the time attribution is uncertain; the technical fingerprints are logged for later analysis.
To September 2025 — NCSC records 204 nationally significant incidents
In its Annual Review, the NCSC reports 204 nationally significant incidents in the year to September 2025 — up sharply from 89 the year before. The same review estimates 5 million cyber crimes against UK firms a year, roughly one every six seconds.
7 July 2026 — Cyber Resilience Pledge launched
GOV.UK launches the Cyber Resilience Pledge, urging firms to strengthen defences. More than 60 businesses sign up in the first tranche, including M&S, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte and Vodafone. The same announcement puts the annual cost of cyberattacks to the UK economy at £14.7bn.
13 July 2026 — Joint advisory published
The NCSC and 18 allied agencies from 12 countries publish the joint advisory naming FSB Centre 16 and its router-scanning campaign. It details the SNMP, Smart Install and management-interface techniques, and lists concrete mitigations.
13 July 2026 — UK sanctions 24 operators
In coordination with the advisory, the UK sanctions 24 Russian individuals and entities linked to the campaign — a rare same-day pairing of technical guidance with legal action.
13 July 2026 — Poland attack formally attributed
The December 2025 Poland grid intrusion is formally attributed to FSB Centre 16, closing the loop between the earlier incident and the group now named in the advisory. The message to industry: this is a capable, active adversary, not a historic curiosity.
From 14 July 2026 — UK firms begin auditing exposure
In the days after publication, UK managed-service providers and IT teams begin auditing customer estates for internet-facing management interfaces, legacy SNMP, and Cisco firmware currency — the practical response the advisory was designed to trigger.

Why routers — and why now

To understand the choice of target, it helps to compare it against the other places an attacker could invest their effort. The chart below is an illustrative ranking of how attractive different categories of exposed infrastructure are to a mass-scanning campaign of this kind — weighing how easy each is to find on the open internet, how often the weakness is present, and how much the attacker gains from a successful compromise. Routers and edge devices sit at the top for a reason: they are always on, always reachable, rarely monitored the way a laptop is, and they hold the keys to the network behind them.

Internet-facing routers & edge devices
94
Exposed management interfaces
88
Legacy SNMP (v1/v2c) services
82
Unpatched firewalls & VPN appliances
76
Cisco Smart Install (SMI) enabled
69
Remote-access services (RDP/SSH)
61
Employee endpoints (laptops)
44

The point of the ranking is not the precise figures — it is the shape. The devices most SMEs think about least are the ones a nation-state scanner values most. A laptop is patched by Windows Update, watched by endpoint protection, and replaced every few years. A router installed during an office move in 2021 may not have been logged into since, may still carry the credentials from its factory box, and may be quietly announcing itself to the internet on a management port nobody remembers opening.

The scale of the UK cyber-crime problem

It is tempting for a smaller business to read a state-sponsored advisory and conclude it is aimed at someone else — the utilities, the defence contractors, the banks. The wider numbers argue otherwise. The NCSC’s own estimate of roughly 5 million cyber crimes against UK firms a year works out to about one every six seconds, and the overwhelming majority of those victims are not critical national infrastructure. They are ordinary businesses whose exposure was opportunistic rather than targeted. The donut below frames the single number that should reset the risk conversation for any UK SME leader.

204 incidents
Nationally significant NCSC incidents in the year to September 2025 — up from 89 the year before, a rise of roughly 129%. The green arc shows the current year against that prior baseline.

A 129% year-on-year jump in nationally significant incidents is not a rounding error; it is a step change in tempo. When the volume of serious activity more than doubles in twelve months, the probability that a given business sits in the blast radius of some campaign — targeted or incidental — rises with it. The July advisory is one specific, well-documented instance of that broader trend, which is exactly why it is worth treating as a prompt to act rather than a headline to note.

Where most UK SMEs are exposed today

The advisory’s mitigations map neatly onto a small number of recurring weaknesses. In our experience auditing SME connectivity, the same gaps appear again and again — not because anyone was negligent, but because network kit is installed to work and then forgotten. The grid below rates how commonly each weakness turns up and how much it matters if an active scanner finds it.

Router & network exposure — how commonly each gap appears in SME estates
Default or weak SNMP community string still in use High
Management interface reachable from the public internet High
Cisco firmware more than 12 months behind current High
Legacy SNMPv1/v2c enabled instead of SNMPv3 High
Cisco Smart Install (SMI) enabled and unrestricted Mid
No asset inventory of internet-facing devices Mid
Shared admin passwords across network devices Mid
No Cyber Essentials baseline in place Low

The “low” rating on the last row is not a comment on its importance — a Cyber Essentials baseline is one of the highest-value moves an SME can make — but on how easy the gap is for a scanner to exploit directly. The absence of a certification does not itself open a port. The first four rows, by contrast, are the ones an automated sweep can find and act on without any human in the loop, which is why they carry a “high” badge and why the advisory leads with them.

What effective network security costs a UK SME

Cost is usually the first question, so it is worth grounding. The figures below are indicative UK monthly ranges for the kind of managed connectivity and network security a business of each size typically needs to close the gaps above. They are illustrative planning bands, not quotes — every estate differs — but they give a realistic sense of the order of magnitude, and of how it compares with the downside. Set them against the £14.7bn the UK economy loses to cyberattacks each year and the per-incident cost of a serious breach, and the proactive figure reads as insurance rather than expense.

Business size Typical network estate Indicative managed cost (per month) What it covers
Micro (1–9 staff) Single site, one router/firewall, business broadband £150–£400 Managed router config, firmware currency, SNMPv3, monitoring, no internet-facing management
Small (10–49 staff) One or two sites, firewall, switching, Wi-Fi, FTTP £400–£1,200 Above plus segmentation, patch programme, quarterly review, failover options
Medium (50–99 staff) Multi-site, leased line, SD-WAN, managed switching £1,200–£3,000 Above plus 24/7 monitoring, resilient connectivity, Cyber Essentials Plus support
Larger SME (100–250 staff) Several sites, dedicated leased lines, full network stack £3,000–£7,000+ Full managed network, continuous assurance, incident response, vCIO oversight

The important comparison is not the monthly figure in isolation but the ratio against a single serious incident. A compromised router used as a foothold for data theft or ransomware routinely costs an SME tens of thousands of pounds in downtime, recovery, lost business and, increasingly, regulatory attention — before any reputational cost. Against that, a managed connectivity arrangement that keeps firmware current, disables legacy SNMP, and takes the management interface off the public internet is a modest and predictable line item.

Reactive versus proactive: two ways to run a network

The advisory ultimately describes a choice of posture. Most SMEs run their network reactively — kit is installed, works, and is only revisited when something breaks. A proactive posture treats the network as a living asset that is monitored, patched and reviewed on a schedule. The difference is not a matter of spending more; it is a matter of when the attention happens.

Reactive posture

What most SMEs do today

  • Router installed once, rarely logged into again
  • Firmware updated only when a fault forces it
  • Default or shared credentials left in place
  • Management interface exposed “so we can get in from home”
  • SNMPv1/v2c left enabled from initial setup
  • No inventory of what is actually internet-facing
  • Security reviewed after an incident, not before

Proactive posture

Where Cloudswitched takes you

  • Every internet-facing device inventoried and monitored
  • Firmware currency maintained on a schedule
  • Unique strong credentials on all network devices
  • Management restricted — no internet-facing admin ports
  • SNMPv3 only; legacy SNMP disabled
  • Cisco Smart Install disabled where not required
  • Cyber Essentials baseline and quarterly review in place

Read the two columns side by side and the advisory’s recommendations line up almost exactly with the right-hand list. SNMPv3 instead of legacy SNMP, unique strong passwords on every device, management interfaces off the public internet, Smart Install disabled, firmware kept current, Cyber Essentials as a baseline, and the NCSC’s Cyber Assessment Framework (CAF) for those who need to go further. None of it is exotic. All of it is the difference between being an easy hit and being passed over.

How ready is the typical UK SME?

If we score a representative unmanaged SME network against the advisory’s checklist — SNMPv3, no internet-facing management, current firmware, unique credentials, Smart Install disabled, a baseline certification — the picture is sobering. Most fall well short not through any single failure but through the accumulation of small, forgotten defaults. The gauge below reflects a typical starting position; the goal of a managed connectivity engagement is to move that needle firmly into the upper band.

38
Typical unmanaged SME network readiness against the advisory checklist (out of 100)

A score in the high thirties is not a sign of a badly run business. It is the natural resting state of any network that has been installed to work rather than actively defended. The value of the July advisory is that it turns a vague sense of “we should probably look at this” into a specific, checkable list. You can move from the high thirties into the eighties in a matter of weeks with the right attention — and none of the steps requires ripping anything out.

A practical first move you can make this week

You do not need a full audit to start. Ask whoever manages your connectivity three questions: (1) Is any router or firewall management interface reachable from the public internet? (2) Is SNMP still running v1 or v2c anywhere, and what community strings are set? (3) When was the firmware on our edge devices last updated? If the honest answer to any of these is “I’m not sure,” that uncertainty is the finding — and it is exactly what an automated scanner is counting on. Getting to a confident answer on those three points closes the majority of the exposure the advisory describes.

At a glance: the advisory in facts

Fact Detail
Advisory published13 July 2026
Lead agencyUK NCSC, with NSA and CISA among 18 co-signing agencies
Countries involved12, including Australia, Canada, Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden and the USA
Threat group namedFSB Centre 16 (aka Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard, Static Tundra)
UK sanctions issued24 Russian individuals and entities, same day
Attack methodsDefault/weak SNMP community strings; Cisco Smart Install exploitation; management-interface web flaws
Post-compromise activityConfig exfiltration, credential harvesting, persistent access, lateral movement
Key mitigationsSNMPv3; disable SNMPv1/v2c; unique strong passwords; restrict management interfaces; disable Smart Install; update Cisco firmware; obtain Cyber Essentials; use NCSC CAF
Formal attributionDecember 2025 Poland energy grid attack (500,000 civilians at risk) attributed to FSB Centre 16
UK cyber-crime cost£14.7bn per year to the economy (GOV.UK, 7 July 2026)
Nationally significant incidents204 in the year to September 2025, up from 89
Scale of activity~5 million cyber crimes against UK firms a year — roughly one every six seconds
Cyber Resilience PledgeLaunched 7 July 2026; 60+ businesses signed, including M&S, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte, Vodafone
NCSC quoteJonathon Ellison, Director of National Resilience, urged “all organisations” to adopt the measures “immediately”

How this connects to the wider 2026 threat picture

This advisory does not stand alone. It is one thread in a summer of overlapping pressure on UK SME infrastructure, and reading it alongside the related stories we have covered makes the pattern clear. The FortiBleed vulnerability affecting more than 73,000 Fortinet firewalls is the same category of problem — edge devices as the soft entry point — seen through a different vendor. The surge in AI-discovered CVEs explains why firmware currency has become so much harder to keep on top of manually, reinforcing the case for a managed patch programme. And the 2026 Cyber Security Breaches Survey, which found 612,000 UK businesses hit, supplies the population-level evidence that this is a mainstream SME problem, not a niche one.

Two further pieces round out the context. The UK’s Critical Third Party designation for the major cloud providers shows regulators treating digital infrastructure as systemically important — the same logic that now extends, via advisories like this one, down to the humble business router. And the EU AI Act deadline of 2 August 2026 is a reminder that compliance obligations and security obligations are arriving together, and that a business getting its house in order should tackle them as one programme rather than a series of fire drills.

Is your router in the scan path?

Cloudswitched delivers business connectivity as an IT company, not a reseller — which means firmware currency, SNMPv3, restricted management interfaces and proactive monitoring are built into how we run your network, exactly as the NCSC advisory recommends. If you are not certain your edge devices are safe from this campaign, we can find out.

Talk to us about Business Connectivity & Network Security

Frequently asked questions

Is my small business really a target for a Russian state group?
Not specifically — and that is precisely the point. The campaign the advisory describes is an internet-wide automated scan for weak SNMP credentials, exposed management interfaces and outdated Cisco firmware. Automated scanners do not check your company size, sector or turnover before probing your router; they hit every reachable device in a range. So while your SME is unlikely to be hand-picked, it can absolutely be swept up incidentally if it presents any of the weaknesses the scanners look for. The exposure is real regardless of how uninteresting you think your business is to a nation state.
What is SNMP and why does it matter here?
SNMP (Simple Network Management Protocol) is how network devices report their status and are managed remotely. The older versions — v1 and v2c — authenticate using a “community string”, which is effectively a shared password sent in the clear. Many devices ship with well-known default community strings like “public” and “private”, and plenty are never changed. An attacker who guesses or sniffs that string can read a device’s configuration and, in some cases, alter it. The advisory’s core recommendation is to move to SNMPv3, which adds proper authentication and encryption, and to disable the legacy versions entirely.
We use Cisco equipment — what specifically should we check?
Three things. First, whether Cisco Smart Install (SMI) is enabled; it is a provisioning feature that is frequently left on and exposed, and it is one of the named entry points. Disable it where you do not actively use it. Second, whether your firmware is current — the campaign targets outdated firmware, so keeping devices patched closes known holes. Third, whether any management interface is reachable from the public internet. If you are not sure how to check these, a managed connectivity provider can audit them quickly; they are standard checks, not deep forensics.
What does “restrict management interfaces” actually mean?
It means your router’s or firewall’s administrative login should not be reachable from the open internet. Many businesses expose it deliberately — usually so someone can manage the device from home — without realising they have put the front-door lock on the pavement for every scanner to try. The correct pattern is to reach management only over a VPN or from inside the network, so the admin interface is invisible to the public internet. Closing this one gap removes a large share of the exposure the advisory describes, because a scanner cannot attack a login it cannot see.
How does Cyber Essentials help with this?
Cyber Essentials is a UK Government-backed baseline built around five technical controls, one of which is secure configuration — exactly the discipline that prevents default credentials and unnecessary exposed services. The advisory explicitly recommends it as a baseline for a reason: businesses that hold the certification have already had to demonstrate that they have addressed the categories of weakness this campaign exploits. It will not make you invulnerable, but it forces the housekeeping that closes the easy doors. For firms with contractual or supply-chain requirements, Cyber Essentials Plus adds an independent hands-on audit.
Our IT is outsourced — should we assume it is handled?
Do not assume; ask. Being “handled” is precisely the assumption that leaves routers unpatched, because everyone believes someone else is watching them. Put three direct questions to your provider: is any management interface internet-facing, is legacy SNMP disabled, and is our edge firmware current? A good provider will answer confidently or offer to check the same day. If the response is vague, that is a finding in itself. The right posture is a documented, monitored network with a named point of accountability — not a device that works and is therefore assumed to be safe.
How quickly can we close these gaps?
Faster than most people expect. Disabling legacy SNMP, changing default community strings, taking management interfaces off the public internet and turning off Smart Install where it is not needed are configuration changes that can often be completed in a single maintenance window. Firmware updates may need scheduling around business hours to avoid disruption, but they are routine. A full move from a typical unmanaged starting point to a solid posture aligned with the advisory usually takes a few weeks, most of which is auditing and planning rather than downtime. The urgency is real, but so is the achievability.
What is the NCSC Cyber Assessment Framework (CAF) and do we need it?
The CAF is a more comprehensive framework than Cyber Essentials, designed for organisations that need to demonstrate a mature, risk-based approach to cyber security — typically those in or supplying critical sectors. The advisory recommends it alongside Cyber Essentials for organisations entrusted with important networks. Most SMEs do not need to work directly to the CAF, but understanding where you sit on the spectrum between a Cyber Essentials baseline and full CAF alignment is a useful conversation to have with a vCIO, especially if you supply larger organisations that are themselves subject to it.
Why sanction 24 people at the same time as issuing technical advice?
Pairing sanctions with a technical advisory is a deliberate signal. The advisory tells defenders what to do; the sanctions raise the cost to the attackers and put the attribution on the public record. For a business leader, the practical takeaway is not the diplomacy but the confidence it conveys: governments across 12 countries are certain enough about this campaign to act on it legally on the same day they warn about it technically. That level of coordinated confidence is your cue to treat the mitigations as a priority rather than a maybe.
We are planning an office move — is that a good time to fix this?
An excellent time. A relocation means new connectivity, new cabling and often new network hardware, so it is the natural moment to build the right configuration in from the start rather than retrofitting it — SNMPv3 only, no internet-facing management, current firmware, unique credentials and proper segmentation. It is far cheaper to do this once, cleanly, during a planned move than to unpick a working-but-exposed setup later. If a move is on your horizon, fold the advisory’s checklist into the connectivity design brief and you will arrive at the new site already aligned with it.

Turn the advisory into action

The NCSC has told every UK organisation what to do; the hard part is knowing whether your own network already meets the mark. Cloudswitched runs business connectivity the way the advisory recommends — firmware kept current, legacy SNMP disabled, management interfaces off the public internet, and proactive monitoring on every edge device — so you are not the easy hit an automated scan is hunting for.

Talk to us about Business Connectivity & Network Security
Tags:ConnectivityCyber SecurityNetwork AdminIT Support
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Business Connectivity & Network Security

Business broadband, leased lines and secure network infrastructure for UK businesses

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

26
  • Cyber Security

Cyber Essentials Plus for Law Firms: Protecting Client Data

26 Jun, 2026

Read more
10
  • Web Development

The Guide to Website Maintenance and Updates

10 Dec, 2025

Read more
17
  • Azure Cloud

Azure for Healthcare: Compliance and Security Considerations

17 Mar, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.