DEV Community

Cover image for Router Configuration Theft: What to Investigate After the Rebuild
Kerry Kier
Kerry Kier Subscriber

Posted on • Originally published at blog.vertexops.org

Router Configuration Theft: What to Investigate After the Rebuild

An SNMP Set request can make a router write its own configuration to a file and send that file to an external system.

That is the mechanism network defenders should notice in the joint router-security advisory released July 13, 2026. The participating agencies attributed the activity to actors associated with Center 16 of Russia's Federal Security Service.

The reported workflow does not require a novel implant. The actors scan for routers accepting legacy SNMP, try weak or default community strings, and send SNMP Set requests that invoke supported configuration-copy functions. The router then transfers its configuration, typically over TFTP, to external infrastructure.

The router is not merely the target. It performs the export.

That distinction changes what responders need to investigate after the device has been rebuilt.

Why endpoint detection is a poor fit

There may be no malicious executable, child process, or endpoint file-access alert. The activity occurs through the router's management plane using functions the device was built to provide.

The advisory supplies two Cisco OID examples for monitoring. One identifies the ccCopy configuration-copy subtree, while the other identifies a destination server address.

The destination-address object cited in the advisory, ccCopyServerAddress, is deprecated and limited to IPv4. Newer implementations can use ccCopyServerAddressType and ccCopyServerAddressRev1.

That creates an implementation detail worth checking in detection rules. Exact matches against the advisory's two examples can miss a valid transaction using ccCopyServerAddressRev1. Prefix matching on the ccCopy subtree, combined with monitoring for SNMP Set requests, covers the replacement object.

Egress controls matter as much as the inbound request. If a router can initiate arbitrary TFTP transfers, the configuration-copy function already has an exit path. External TFTP should be blocked unless it is operationally required and closely monitored where it cannot be blocked.

The requests described by the agencies can also use spoofed source addresses. The NCSC's router guidance pairs management-source allowlists with edge anti-spoofing so packets falsely claiming to originate from an approved management platform are dropped.

The configuration expands the incident boundary

A router configuration can disclose local credentials, SNMP community strings, management addresses, routing relationships, interface descriptions, access-control rules, neighboring systems, and trusted sources.

Strong password protection reduces part of that exposure, but it does not hide the surrounding topology or management design. The file can still tell an attacker which systems administer the device, which sources are trusted, and which adjacent targets deserve attention.

The FBI has documented both configuration collection and further activity in this campaign. In an August 2025 warning, it reported that Center 16 actors had collected configurations from thousands of networking devices associated with US critical-infrastructure entities during the preceding year.

On some vulnerable devices, the actors modified configurations to enable unauthorized access. They used that access for reconnaissance that revealed interest in protocols and applications associated with industrial control systems.

The FBI did not say that every collected file contained reusable credentials or that each collection event produced deeper access. It did establish that configuration collection, device modification, and downstream reconnaissance occurred within the same campaign.

Replacing the original router does not recover information that has already left it.

Four questions after a suspected export

Responders should establish:

  1. Was a configuration exported, and where was it sent?
  2. Which credentials or shared secrets did the exported configuration contain?
  3. Where else were those credentials or trust relationships used?
  4. What changed on the router or adjacent management systems?

A shared SNMP community string can extend the exposure across a device class. A reused local administrator credential requires review and likely rotation everywhere it is accepted. A disclosed management address or trusted source may identify another path that needs separate investigation.

Compare the current configuration with a trustworthy known-good version. Look for unexpected accounts, altered access-control entries, new routes or tunnels, changed management destinations, and newly enabled services.

Preserve device logs outside the router. A compromised device should not be the only custodian of evidence about its own management activity.

SNMPv3 is a starting point

The joint advisory and the NSA's guidance on reducing SNMP abuse recommend SNMPv3 with authPriv, which adds authentication and encryption.

NSA also states that SNMPv3 alone is insufficient. A compromised or over-privileged SNMPv3 credential can still reach sensitive objects unless its permissions are constrained.

The stronger design separates read and write authority, limits accessible objects with MIB views, restricts management traffic to approved systems, places management on a separate network where practical, monitors configuration-copy operations, and blocks unnecessary outbound management protocols.

Where older equipment or management software cannot support authPriv, NSA identifies authNoPriv as the fallback but still directs operators to upgrade.

The response therefore begins with two inventories: every device that still accepts SNMPv1 or SNMPv2, and every secret or trust relationship that would be exposed if its configuration left the network.

If the runbook stops after rebuilding the router, it stops too early. Follow the exported configuration through the credentials, systems, and management paths it disclosed.

Top comments (0)