NCSC issues warning over Russian intelligence-backed threat group

The advisory comes as the government cracks down on groups involved in “destructive cyber and hybrid operations”

Insignia of the UK's National Cyber Security Centre (NCSC) pictured on a smartphone screen with blurred blue, green, and orange coloring in background.
(Image credit: Getty Images)

The National Cyber Security Centre (NCSC) has urged UK organizations to remain vigilant for attacks waged by Russian state-backed hackers.

As part of an advisory published in collaboration with 18 other agencies, the cybersecurity center specifically highlighted techniques employed by Russian FSB’s Centre 16 threat actors.

The group has been “opportunistically” targeting vulnerable routers and critical national infrastructure globally in recent months, the advisory warns.

Centre 16 goes by a number of names, including Berserk Bear, Static Tundra, and Ghost Blizzard, according to the NCSC. The group primarily uses SNMP (Simple Network Management Protocol) scans to locate and compromise vulnerable routers.

Latest Videos From

The group has also been observed exploiting vulnerabilities in Cisco devices, web portal flaws, and vulnerabilities in Cisco’s Smart Install (SMI) feature to seize network devices.

The advisory comes as the UK government implements sanctions against 24 individuals and entities behind “destructive cyber and hybrid operations” which have employed criminal groups via proxy networks.

Jonathon Ellison, NCSC Director of National Resilience, said these activities require organizations to remain in a heightened state of vigilance moving forward.

“The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter,” he said.

“Today’s joint advisory provides decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations and secure the UK’s critical infrastructure.”

Russian hackers targeting key sectors

Organizations across a host of sectors worldwide are at risk from the group, according to the advisory.

Those operating in the communications, energy, healthcare, defense, and financial services industries in particular are firmly in Centre 16’s crosshairs.

The security agency urged organizations in these domains to take action immediately. This includes disabling the use of legacy SNMP versions and switching to SNMPv3 to lower their risk of compromise.

Similarly, organizations are advised to implement “strong and unique passwords for network devices, and restrict access to management protocols”.

Call to action

In addition to basic defensive measures, the NCSC also encouraged at-risk organizations to obtain Cyber Essentials certification.

This is a government-backed initiative for organisations to show they meet the recognized minimum standards for cybersecurity.

Organizations can also make use of the Cyber Assessment Framework, allowing them to audit their security capabilities, operational maturity, and bolster cyber resilience techniques.

“I’d strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise,” Ellison commented.

Repeated warnings

This isn’t the first warning issued by the NCSC over Centre 26 activities in recent years. The security agency, alongside international counterparts, attributed the December 2025 attack on Poland’s energy grid to the unit.

Various subunits and techniques employed by Centre 16 have also been exposed over the last three years. The security agency called out a Centre 16 unit known as ‘Turla’ in 2023 over the deployment of Snake malware, for example.

The malware strain has been a key component of Russian-backed espionage campaigns for nearly two decades, the NCSC said at the time.

A similar advisory that year also shed light on a group known as Star Blizzard. The NCSC said this particular subunit of Centre 16 was actively interfering in UK politics and democratic processes.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.