NCSC issues warning over Russian intelligence-backed threat group
The advisory comes as the government cracks down on groups involved in “destructive cyber and hybrid operations”
The National Cyber Security Centre (NCSC) has urged UK organizations to remain vigilant for attacks waged by Russian state-backed hackers.
As part of an advisory published in collaboration with 18 other agencies, the cybersecurity center specifically highlighted techniques employed by Russian FSB’s Centre 16 threat actors.
The group has been “opportunistically” targeting vulnerable routers and critical national infrastructure globally in recent months, the advisory warns.
Centre 16 goes by a number of names, including Berserk Bear, Static Tundra, and Ghost Blizzard, according to the NCSC. The group primarily uses SNMP (Simple Network Management Protocol) scans to locate and compromise vulnerable routers.
The group has also been observed exploiting vulnerabilities in Cisco devices, web portal flaws, and vulnerabilities in Cisco’s Smart Install (SMI) feature to seize network devices.
The advisory comes as the UK government implements sanctions against 24 individuals and entities behind “destructive cyber and hybrid operations” which have employed criminal groups via proxy networks.
Jonathon Ellison, NCSC Director of National Resilience, said these activities require organizations to remain in a heightened state of vigilance moving forward.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
“The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter,” he said.
“Today’s joint advisory provides decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations and secure the UK’s critical infrastructure.”
Russian hackers targeting key sectors
Organizations across a host of sectors worldwide are at risk from the group, according to the advisory.
Those operating in the communications, energy, healthcare, defense, and financial services industries in particular are firmly in Centre 16’s crosshairs.
The security agency urged organizations in these domains to take action immediately. This includes disabling the use of legacy SNMP versions and switching to SNMPv3 to lower their risk of compromise.
Similarly, organizations are advised to implement “strong and unique passwords for network devices, and restrict access to management protocols”.
Call to action
In addition to basic defensive measures, the NCSC also encouraged at-risk organizations to obtain Cyber Essentials certification.
This is a government-backed initiative for organisations to show they meet the recognized minimum standards for cybersecurity.
Organizations can also make use of the Cyber Assessment Framework, allowing them to audit their security capabilities, operational maturity, and bolster cyber resilience techniques.
“I’d strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise,” Ellison commented.
Repeated warnings
This isn’t the first warning issued by the NCSC over Centre 26 activities in recent years. The security agency, alongside international counterparts, attributed the December 2025 attack on Poland’s energy grid to the unit.
Various subunits and techniques employed by Centre 16 have also been exposed over the last three years. The security agency called out a Centre 16 unit known as ‘Turla’ in 2023 over the deployment of Snake malware, for example.
The malware strain has been a key component of Russian-backed espionage campaigns for nearly two decades, the NCSC said at the time.
A similar advisory that year also shed light on a group known as Star Blizzard. The NCSC said this particular subunit of Centre 16 was actively interfering in UK politics and democratic processes.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Data centers gobbled up 23% of Ireland’s electricity supply in 2025News Figures from the Central Statistics Office come amidst rising concerns over the impact of data centers on Ireland's power grid
-
Geekom M16 reviewReviews Geekom once again shows it can deliver a high-quality, capable, yet affordable laptop with no significant weaknesses
-
UK’s Cyber Resilience Pledge gathers momentum as 60 firms sign up to bolster capabilitiesNews The voluntary pledge sees organizations tightening up their defences, particularly against supply-chain attacks
-
Hostile states behind three-quarters of UK critical infrastructure attacksNews NCSC CEO warns that with the rise of AI, the danger is only set to get worse
-
NCSC urges organizations to shore up supply chain security practicesNews With attackers increasingly compromising open source packages to spread malware, organizations need to be on their guard
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
NCSC issues alert over Russian hacker campaign targeting SOHO routersNews The APT28 group has exploited vulnerable internet routers to covertly reroute internet traffic through malicious servers
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
The NCSC touts honeypots and ‘cyber deception’ tactics as the key to combating hackers — but they could ‘lead to a false sense of security’News Trials to test the real-world effectiveness of cyber deception solutions have produced positive results so far