On 13 July 2026, the UK’s National Cyber Security Centre — joined by 18 partner agencies from 12 countries — issued a joint advisory confirming that Russia’s FSB Centre 16 is actively scanning the public internet for business routers running weak or default SNMP credentials and outdated Cisco firmware. The same day, the UK sanctioned 24 Russian individuals and entities and formally attributed the December 2025 attack on Poland’s power grid — which put an estimated 500,000 civilians at risk of losing electricity — to the identical threat group. It is, on any reasonable measure, the most operationally significant router-security warning issued to UK organisations in years.
The uncomfortable part for a UK small or medium-sized business is this: an internet-wide scan does not check your company size, your sector, or your turnover before it knocks on your router. The advisory names a group whose targets include critical national infrastructure, but the technique it describes — probing every reachable device for a default or guessable SNMP community string, an exposed management interface, or an un-patched Cisco appliance — sweeps up the corner accountancy practice, the 30-person logistics firm, and the regional manufacturer in exactly the same pass. If your router is on the public internet with factory credentials or firmware two years behind, you are inside the same net as the power stations. This article explains what the advisory actually says, who FSB Centre 16 is, and what a UK SME should do about its connectivity and network security today — framed around the reality of running a business, not defending a nation state.
What the 13 July advisory actually says
The advisory, published under the NCSC banner and co-signed by agencies including the United States’ NSA and CISA and counterparts from Australia, Canada, the Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland and Sweden, is unusually direct. It names FSB Centre 16 — the group tracked across the industry under a string of aliases including Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard and Static Tundra — as conducting a sustained campaign against internet-facing networking equipment. The primary entry points it lists are not exotic zero-days. They are default or weak SNMP community strings, the Cisco Smart Install (SMI) feature left enabled and exposed, and web-portal flaws on management interfaces that were never meant to face the open internet.
Once a device is compromised, the advisory describes a familiar and methodical playbook: exfiltrate the router’s configuration file, harvest the credentials inside it, establish persistent access that survives reboots, and use the foothold to move laterally into the network behind the router. A router is not an incidental target here. It is the front door, the map of the internal network, and often the store of the very credentials an attacker needs to go deeper. Compromise it quietly and you own the traffic, the topology, and frequently the keys to everything downstream.
Alongside the technical detail, the UK Government moved on the diplomatic and legal front the same day. It sanctioned 24 Russian individuals and entities, and it formally attributed the December 2025 attack on Poland’s energy grid — an incident that put around 500,000 civilians at risk of losing power — to FSB Centre 16. Jonathon Ellison, the NCSC’s Director of National Resilience, put the call to action plainly: “I would strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately.” The phrase “all organisations” is doing real work in that sentence.
If your business router is reachable from the public internet and still uses a default or weak SNMP community string — or runs Cisco firmware that is behind on updates, or has Smart Install enabled — it is exposed to an active, automated scanning campaign right now. This is not a theoretical future threat you can schedule for next quarter. Automated scanners do not queue by company size, and the advisory confirms the campaign is live. The single most valuable thing you can do today is find out, honestly, whether any of those three conditions apply to your equipment.
How we got here: a timeline
The advisory did not appear in a vacuum. It sits at the end of a chain of escalating incidents and policy moves through late 2025 and into the summer of 2026. Reading them in order makes the July warning feel less like a bolt from the blue and more like the predictable next step.
Why routers — and why now
To understand the choice of target, it helps to compare it against the other places an attacker could invest their effort. The chart below is an illustrative ranking of how attractive different categories of exposed infrastructure are to a mass-scanning campaign of this kind — weighing how easy each is to find on the open internet, how often the weakness is present, and how much the attacker gains from a successful compromise. Routers and edge devices sit at the top for a reason: they are always on, always reachable, rarely monitored the way a laptop is, and they hold the keys to the network behind them.
The point of the ranking is not the precise figures — it is the shape. The devices most SMEs think about least are the ones a nation-state scanner values most. A laptop is patched by Windows Update, watched by endpoint protection, and replaced every few years. A router installed during an office move in 2021 may not have been logged into since, may still carry the credentials from its factory box, and may be quietly announcing itself to the internet on a management port nobody remembers opening.
The scale of the UK cyber-crime problem
It is tempting for a smaller business to read a state-sponsored advisory and conclude it is aimed at someone else — the utilities, the defence contractors, the banks. The wider numbers argue otherwise. The NCSC’s own estimate of roughly 5 million cyber crimes against UK firms a year works out to about one every six seconds, and the overwhelming majority of those victims are not critical national infrastructure. They are ordinary businesses whose exposure was opportunistic rather than targeted. The donut below frames the single number that should reset the risk conversation for any UK SME leader.
A 129% year-on-year jump in nationally significant incidents is not a rounding error; it is a step change in tempo. When the volume of serious activity more than doubles in twelve months, the probability that a given business sits in the blast radius of some campaign — targeted or incidental — rises with it. The July advisory is one specific, well-documented instance of that broader trend, which is exactly why it is worth treating as a prompt to act rather than a headline to note.
Where most UK SMEs are exposed today
The advisory’s mitigations map neatly onto a small number of recurring weaknesses. In our experience auditing SME connectivity, the same gaps appear again and again — not because anyone was negligent, but because network kit is installed to work and then forgotten. The grid below rates how commonly each weakness turns up and how much it matters if an active scanner finds it.
The “low” rating on the last row is not a comment on its importance — a Cyber Essentials baseline is one of the highest-value moves an SME can make — but on how easy the gap is for a scanner to exploit directly. The absence of a certification does not itself open a port. The first four rows, by contrast, are the ones an automated sweep can find and act on without any human in the loop, which is why they carry a “high” badge and why the advisory leads with them.
What effective network security costs a UK SME
Cost is usually the first question, so it is worth grounding. The figures below are indicative UK monthly ranges for the kind of managed connectivity and network security a business of each size typically needs to close the gaps above. They are illustrative planning bands, not quotes — every estate differs — but they give a realistic sense of the order of magnitude, and of how it compares with the downside. Set them against the £14.7bn the UK economy loses to cyberattacks each year and the per-incident cost of a serious breach, and the proactive figure reads as insurance rather than expense.
| Business size | Typical network estate | Indicative managed cost (per month) | What it covers |
|---|---|---|---|
| Micro (1–9 staff) | Single site, one router/firewall, business broadband | £150–£400 | Managed router config, firmware currency, SNMPv3, monitoring, no internet-facing management |
| Small (10–49 staff) | One or two sites, firewall, switching, Wi-Fi, FTTP | £400–£1,200 | Above plus segmentation, patch programme, quarterly review, failover options |
| Medium (50–99 staff) | Multi-site, leased line, SD-WAN, managed switching | £1,200–£3,000 | Above plus 24/7 monitoring, resilient connectivity, Cyber Essentials Plus support |
| Larger SME (100–250 staff) | Several sites, dedicated leased lines, full network stack | £3,000–£7,000+ | Full managed network, continuous assurance, incident response, vCIO oversight |
The important comparison is not the monthly figure in isolation but the ratio against a single serious incident. A compromised router used as a foothold for data theft or ransomware routinely costs an SME tens of thousands of pounds in downtime, recovery, lost business and, increasingly, regulatory attention — before any reputational cost. Against that, a managed connectivity arrangement that keeps firmware current, disables legacy SNMP, and takes the management interface off the public internet is a modest and predictable line item.
Reactive versus proactive: two ways to run a network
The advisory ultimately describes a choice of posture. Most SMEs run their network reactively — kit is installed, works, and is only revisited when something breaks. A proactive posture treats the network as a living asset that is monitored, patched and reviewed on a schedule. The difference is not a matter of spending more; it is a matter of when the attention happens.
Reactive posture
What most SMEs do today
- Router installed once, rarely logged into again
- Firmware updated only when a fault forces it
- Default or shared credentials left in place
- Management interface exposed “so we can get in from home”
- SNMPv1/v2c left enabled from initial setup
- No inventory of what is actually internet-facing
- Security reviewed after an incident, not before
Proactive posture
Where Cloudswitched takes you
- Every internet-facing device inventoried and monitored
- Firmware currency maintained on a schedule
- Unique strong credentials on all network devices
- Management restricted — no internet-facing admin ports
- SNMPv3 only; legacy SNMP disabled
- Cisco Smart Install disabled where not required
- Cyber Essentials baseline and quarterly review in place
Read the two columns side by side and the advisory’s recommendations line up almost exactly with the right-hand list. SNMPv3 instead of legacy SNMP, unique strong passwords on every device, management interfaces off the public internet, Smart Install disabled, firmware kept current, Cyber Essentials as a baseline, and the NCSC’s Cyber Assessment Framework (CAF) for those who need to go further. None of it is exotic. All of it is the difference between being an easy hit and being passed over.
How ready is the typical UK SME?
If we score a representative unmanaged SME network against the advisory’s checklist — SNMPv3, no internet-facing management, current firmware, unique credentials, Smart Install disabled, a baseline certification — the picture is sobering. Most fall well short not through any single failure but through the accumulation of small, forgotten defaults. The gauge below reflects a typical starting position; the goal of a managed connectivity engagement is to move that needle firmly into the upper band.
A score in the high thirties is not a sign of a badly run business. It is the natural resting state of any network that has been installed to work rather than actively defended. The value of the July advisory is that it turns a vague sense of “we should probably look at this” into a specific, checkable list. You can move from the high thirties into the eighties in a matter of weeks with the right attention — and none of the steps requires ripping anything out.
You do not need a full audit to start. Ask whoever manages your connectivity three questions: (1) Is any router or firewall management interface reachable from the public internet? (2) Is SNMP still running v1 or v2c anywhere, and what community strings are set? (3) When was the firmware on our edge devices last updated? If the honest answer to any of these is “I’m not sure,” that uncertainty is the finding — and it is exactly what an automated scanner is counting on. Getting to a confident answer on those three points closes the majority of the exposure the advisory describes.
At a glance: the advisory in facts
| Fact | Detail |
|---|---|
| Advisory published | 13 July 2026 |
| Lead agency | UK NCSC, with NSA and CISA among 18 co-signing agencies |
| Countries involved | 12, including Australia, Canada, Czech Republic, Denmark, Estonia, Finland, France, Italy, New Zealand, Poland, Sweden and the USA |
| Threat group named | FSB Centre 16 (aka Berserk Bear, Energetic Bear, Dragonfly, Ghost Blizzard, Static Tundra) |
| UK sanctions issued | 24 Russian individuals and entities, same day |
| Attack methods | Default/weak SNMP community strings; Cisco Smart Install exploitation; management-interface web flaws |
| Post-compromise activity | Config exfiltration, credential harvesting, persistent access, lateral movement |
| Key mitigations | SNMPv3; disable SNMPv1/v2c; unique strong passwords; restrict management interfaces; disable Smart Install; update Cisco firmware; obtain Cyber Essentials; use NCSC CAF |
| Formal attribution | December 2025 Poland energy grid attack (500,000 civilians at risk) attributed to FSB Centre 16 |
| UK cyber-crime cost | £14.7bn per year to the economy (GOV.UK, 7 July 2026) |
| Nationally significant incidents | 204 in the year to September 2025, up from 89 |
| Scale of activity | ~5 million cyber crimes against UK firms a year — roughly one every six seconds |
| Cyber Resilience Pledge | Launched 7 July 2026; 60+ businesses signed, including M&S, Nationwide, ITV, Microsoft UK, Cloudflare, Deloitte, Vodafone |
| NCSC quote | Jonathon Ellison, Director of National Resilience, urged “all organisations” to adopt the measures “immediately” |
How this connects to the wider 2026 threat picture
This advisory does not stand alone. It is one thread in a summer of overlapping pressure on UK SME infrastructure, and reading it alongside the related stories we have covered makes the pattern clear. The FortiBleed vulnerability affecting more than 73,000 Fortinet firewalls is the same category of problem — edge devices as the soft entry point — seen through a different vendor. The surge in AI-discovered CVEs explains why firmware currency has become so much harder to keep on top of manually, reinforcing the case for a managed patch programme. And the 2026 Cyber Security Breaches Survey, which found 612,000 UK businesses hit, supplies the population-level evidence that this is a mainstream SME problem, not a niche one.
Two further pieces round out the context. The UK’s Critical Third Party designation for the major cloud providers shows regulators treating digital infrastructure as systemically important — the same logic that now extends, via advisories like this one, down to the humble business router. And the EU AI Act deadline of 2 August 2026 is a reminder that compliance obligations and security obligations are arriving together, and that a business getting its house in order should tackle them as one programme rather than a series of fire drills.
Is your router in the scan path?
Cloudswitched delivers business connectivity as an IT company, not a reseller — which means firmware currency, SNMPv3, restricted management interfaces and proactive monitoring are built into how we run your network, exactly as the NCSC advisory recommends. If you are not certain your edge devices are safe from this campaign, we can find out.
Talk to us about Business Connectivity & Network SecurityFrequently asked questions
Turn the advisory into action
The NCSC has told every UK organisation what to do; the hard part is knowing whether your own network already meets the mark. Cloudswitched runs business connectivity the way the advisory recommends — firmware kept current, legacy SNMP disabled, management interfaces off the public internet, and proactive monitoring on every edge device — so you are not the easy hit an automated scan is hunting for.
Talk to us about Business Connectivity & Network Security


