This week the National Cyber Security Centre, alongside eighteen agencies from twelve countries, published an advisory on the exploitation of poorly configured routers by Centre 16 of Russia’s Federal Security Service. The technical guidance is sound, and organisations should act on it without delay. Move to SNMPv3, retire the legacy versions, replace default community strings and weak passwords, and lock down access to management protocols. If you run anything that matters on Cisco equipment, the Smart Install and web-portal weaknesses named in the advisory deserve attention today, not next quarter.
I have spent most of my career either responding to intrusions of this kind or helping organisations prepare for them, so my concern is not whether the guidance is correct, because of course it is. My concern is how the advisory will be received, which in most organisations will be as a networking problem, a ticket for the infrastructure team, patched by Friday and closed by Monday. That reading is precisely the mistake the adversary is counting on.
Cyber Campaign: One Campaign, Two Faces
Look at what was published alongside the technical advisory. On the same day, the UK and the European Union imposed their first joint cyber sanctions package, naming twenty-four individuals and entities. They attributed the December 2025 attack on Poland’s energy grid to the same FSB unit, an attack that failed but was designed to take electricity from half a million people in the depths of winter. The sanctions reach into GRU proxy operations, into a company recruiting hackers out of Russian universities, and into the criminal networks behind credential-stealing tools that have already claimed more than two thousand victims in the UK in a matter of months.
That is the real shape of the threat, in which the router is only the door and the campaign behind it runs through people, suppliers and stolen credentials. Centre 16 scans the internet for weak devices because it is patient and opportunistic, but the same programme of activity also buys its way in through criminal proxies, harvests logins at scale, and holds the option to disrupt physical infrastructure whenever a foreign policy objective calls for it. Describing that as a cyber problem is like describing a burglary as a lock problem, technically true and almost entirely beside the point.
How Gaps Between Cyber, Physical and Personnel Security Create Risk
Here is what troubles me most about the way organisations are built to respond. Cyber risk sits with IT, people risk with HR, physical security with facilities and supplier risk with procurement, and while each of those functions is competent within its own boundary, each is largely blind to the others. Nobody owns the space between them.
A hostile intelligence service lives in exactly that space. It will compromise a router to reach a network, use a stolen credential that HR never knew was exposed, lean on a supplier that procurement onboarded without a second look, and, where the prize is high enough, place a person on the inside. No single department sees the whole of that, because no single department was built to. The advisory describes the technical entry point. The sanctions describe everything that sits around it. Read together, they are a stark warning that fragmented defence is no defence at all against an adversary that operates across every domain at once.
This is the argument I now make to boards, and it is the reason I work where I do. Resilience against a hybrid campaign cannot be assembled from separate specialists reporting up separate chains. It has to be owned as one picture, informed by a genuine understanding of how a hostile service behaves rather than how a vendor’s product category defines it. The organisations that come through these events well are the ones where cyber, physical, human and supplier risk are governed together, not treated as unrelated line items on four different budgets.
What Boards Should Ask About Cyber Resilience and Recovery
The useful questions after an advisory like this are not technical. They are questions of ownership and recovery. If this actor were already inside, who in the organisation would connect the router anomaly to the unusual supplier access to the credential that surfaced on a criminal marketplace? Which functions of the business genuinely must keep running through and despite of a serious disruption, and have you built the ‘lifeboat’ that would carry them, a minimum, secure environment prepared before the incident rather than improvised during it? When did the board last rehearse its own decisions under attack, as opposed to reading a plan that quietly assumes everything still works?
None of that is answered by a firmware update. It is answered by leadership deciding that security and resilience are an enterprise responsibility, owned at the top, tested under pressure, and understood as a single coherent posture rather than a collection of departmental activities.
Why Patching Routers Is Only Part of the Response
So, fix the routers this week, because it is both necessary and urgent, but do not let the narrowness of the technical fix reassure you about the breadth of the threat. The advisory tells you how they get in, and the sanctions tell you who they are and what they are prepared to do. Make no mistake, the threat landscape has adapted. This is the most difficult geopolitical period most of us have worked through, and it asks a great deal more of us than patching whatever the latest advisory happens to name. The only adequate response is to stop defending your organisation in pieces and start defending it as a whole.
If your board has not had this conversation, I am happy to have it with you.
Mark Raeburn leads Cyber Security and Resilience at GSA Global. He founded Context Information Security, helped establish CREST, and worked with the Bank of England on the design of the CBEST framework.



