Russian Default Password Flaw Exposes Aussie Networks

Australian critical infrastructure is being probed by Russian state-backed hackers exploiting something basic, devices still running on factory-default passwords.
Updated on

Australian Signals Directorate has joined 12 partner nations in a joint alert that Russia’s Federal Security Service operators are quietly breaking into internet-facing networking gear worldwide. Intelligence agencies say these Russian-backed teams have been abusing badly configured routers and similar devices since at least 2015, often without drawing attention.

The warning follows more than two years after the Medibank breach, which exposed sensitive records for about 9.7 million Australians, including detailed medical histories. Cyber authorities say the newest wave of activity relies less on elite hacking tools and more on simple negligence.

The advisory, released on Tuesday, calls out Russian Federal Security Service Centre 16 and is endorsed by agencies from the United States, United Kingdom, Canada, New Zealand and nine European countries. Security companies track the same group under several labels, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra.

ASD says the primary Australian exposure lies in critical infrastructure, naming communications, energy, finance, healthcare, government at state and local level and the defence-industrial base as key targets. Allied agencies “strongly urge” equipment owners and network defenders to move quickly on mitigation and remediation steps to blunt these incursions.

Attackers are using straightforward tactics. They scan large ranges of internet addresses for routers running outdated versions of Simple Network Management Protocol, then try common or default “community strings” that function like passwords left on factory settings.

Once they gain access, they instruct the device to copy its configuration file, often labelled something like “config.bkp” or “output.txt”, and send it to a server they control. That file usually contains login credentials, network maps and sometimes weakly hashed passwords that can be cracked for deeper access into corporate or operational systems.

On legacy Cisco hardware, the advisory says the same operators also leverage known vulnerabilities such as CVE-2018-0171 and misuse the Smart Install feature, which should have been disabled after setup but frequently remains active.

Cyber agencies recommend several concrete defences that work across multiple threat groups, not just Russian units. Organisations are urged to upgrade to SNMPv3, which adds stronger authentication and encryption protections, and to switch off Cisco’s Smart Install on any device where it is still enabled.

The guidance also focuses on better credential hygiene, including storing passwords with Type 8 hashing so that even if configuration files are stolen, attackers cannot easily recover plain-text credentials. Network operators are advised to restrict management interfaces behind firewalls, blocking external access to administration ports altogether.

ASD is pushing Australian operators to report suspicious activity at cyber.gov.au or via the 1300 CYBER 1 hotline. Agencies say these same fixes help blunt similar campaigns from other state-backed hackers around the world.

Sources

Updated on

Our Daily Newsletter

Everything you need to know across Australian business, global and company news in a 2-minute read.