Key Takeaways
- The UK’s National Cyber Security Centre (NCSC) issued a joint advisory with 18 international agencies warning of heightened activity by Russian state‑backed hackers from FSB’s Centre 16 (also known as Berserk Bear, Static Tundra, Ghost Blizzard).
- Centre 16 primarily uses opportunistic SNMP scans to locate vulnerable routers and has also exploited Cisco Smart Install (SMI) flaws, web‑portal weaknesses, and legacy SNMP versions to seize network devices.
- Sectors most at risk include communications, energy, healthcare, defense, and financial services; organisations in these fields are urged to act immediately.
- Core defensive steps: disable legacy SNMPv1/v2, adopt SNMPv3, enforce strong unique passwords, and restrict management‑protocol access.
- Strategic measures: pursue Cyber Essentials certification, utilise the Cyber Assessment Framework to audit and improve resilience, and maintain continuous monitoring.
- The advisory references prior incidents attributed to Centre 16, such as the December 2025 Poland energy‑grid attack, the 2023 Turla‑unit Snake malware campaign, and the Star Blizzard subunit’s interference in UK politics.
- Sustained vigilance and implementation of the recommended controls are essential to protect the UK’s critical national infrastructure from ongoing Russian intelligence operations.
Overview of the NCSC Advisory
The National Cyber Security Centre (NCSC) released a collaborative advisory alongside eighteen partner agencies, alerting UK organisations to a persistent threat posed by Russian state‑backed hackers. The notice focuses on the activities of the FSB’s Centre 16, a unit that operates under several aliases including Berserk Bear, Static Tundra, and Ghost Blizzard. According to the NCSC, Centre 16 has been “opportunistically” scanning the globe for weak points in routers and other network equipment, with a particular emphasis on critical national infrastructure. The advisory stresses that the threat is not isolated to a single campaign but represents an ongoing pattern of exploitation that demands heightened awareness from all defenders, especially those responsible for safeguarding essential services.
Threat Actor Profile: Centre 16 (Berserk Bear)
Centre 16 is a sophisticated element of Russia’s Federal Security Service (FSB) that has been linked to a range of cyber‑espionage and disruptive operations over several years. The group is known for its adaptability, frequently shifting tactics and leveraging multiple pseudonyms to obscure its attribution. Past NCSC reports have identified subunits such as Turla (responsible for the Snake malware platform) and Star Blizzard (which has meddled in UK democratic processes). The current advisory highlights that Centre 16’s recent focus is on network‑device compromise rather than purely data‑theft missions, indicating a strategic move toward gaining footholds that could enable later disruptive or destructive actions against critical infrastructure.
Tactics, Techniques, and Procedures
The advisory details the primary methods employed by Centre 16 to infiltrate target networks. The actors conduct widespread SNMP (Simple Network Management Protocol) scans to discover devices running outdated or weakly configured SNMP services. Once a vulnerable router is identified, they exploit known flaws in Cisco’s Smart Install (SMI) feature, as well as various web‑portal vulnerabilities, to gain administrative control. In addition, the group has been observed leveraging legacy SNMP versions (v1/v2c) that lack encryption and authentication, allowing them to hijack device management interfaces. By chaining these techniques, Centre 16 can seize routers, redirect traffic, install persistent backdoors, and potentially use the compromised devices as launchpads for further intrusions into connected systems.
Targeted Sectors
Organisations operating in communications, energy, healthcare, defense, and financial services are explicitly named as being within Centre 16’s current cross‑hairs. These industries constitute critical national infrastructure; disruption or compromise could have cascading effects on public safety, economic stability, and national security. The NCSC notes that the threat is not limited to the UK but is global in scope, with attackers seeking any vulnerable entry point regardless of geography. Consequently, entities in these sectors should prioritise the recommended hardening measures, as they are most likely to be targeted for both espionage and potential disruptive effects aimed at undermining essential services.
Immediate Defensive Measures
To reduce the risk of compromise, the NCSC urges organisations to take several concrete actions without delay. First, disable SNMPv1 and SNMPv2c on all network devices and migrate to SNMPv3, which provides authentication and encryption. Second, enforce the use of strong, unique passwords for every device’s management interface and ensure default credentials are never left in place. Third, restrict access to management protocols (such as SNMP, SSH, and HTTP/HTTPS) to trusted IP addresses through firewall rules or access‑control lists. Fourth, maintain up‑to‑date firmware and apply security patches promptly, particularly for Cisco equipment where SMI vulnerabilities have been exploited. Finally, enable logging and monitoring for anomalous SNMP traffic or unexpected configuration changes, allowing rapid detection of intrusion attempts.
Strategic Recommendations and Certifications
Beyond basic hardening, the NCSC encourages organisations to adopt broader cyber‑resilience frameworks. Obtaining Cyber Essentials certification—a government‑backed scheme that validates baseline cyber‑hygiene—demonstrates a commitment to essential security controls and can be a prerequisite for certain public‑sector contracts. Complementing this, the Cyber Assessment Framework (CAF) offers a structured methodology for evaluating an organisation’s security capabilities, operational maturity, and resilience posture. By conducting regular CAF assessments, entities can identify gaps, prioritise investments, and track improvements over time. The NCSC stresses that these measures should be integrated into ongoing risk‑management processes rather than treated as one‑off projects, ensuring long‑term defence against evolving threats like those posed by Centre 16.
Historical Context and Prior Warnings
This advisory is not the first time the NCSC has highlighted Centre 16’s activities. In December 2025, the agency, together with international partners, attributed a disruptive attack on Poland’s energy grid to the unit, underscoring its capability to impact critical infrastructure at scale. Earlier warnings in 2023 exposed a Centre 16 subunit known as Turla, which deployed the Snake malware—a sophisticated espionage tool that has been used in Russian‑backed campaigns for nearly two decades. Additionally, a 2023 advisory identified the Star Blizzard subunit as actively interfering in UK political processes and democratic institutions. These historical incidents illustrate a pattern of persistent, multi‑vector operations that blend espionage, disruption, and influence‑seeking, reinforcing the need for continuous vigilance and proactive defence.
Conclusion and Call to Action
The joint NCSC advisory serves as a clear, actionable reminder that Russian state‑backed actors remain a potent threat to the UK’s critical national infrastructure. By exploiting readily available weaknesses such as outdated SNMP configurations and unpatched Cisco devices, Centre 16 can establish footholds that may precede more damaging operations. Organisations—especially those in the communications, energy, healthcare, defense, and finance sectors—must implement the recommended hardening steps immediately, pursue certifications like Cyber Essentials, and leverage frameworks such as the Cyber Assessment Framework to build and maintain resilience. Sustained vigilance, regular assessment, and a commitment to best‑practice cyber hygiene are essential to safeguard national security against the ongoing and evolving campaigns of Russian intelligence services.
Stay informed by following trusted cyber‑security sources and updating defences as new threat intelligence emerges.

