A Coordinated Response, Finally
On July 13, 2026, CISA, the NSA, the FBI, the DoD Cyber Crime Center and the UK's National Cyber Security Centre — joined by counterparts from a dozen allied nations including Australia, Canada, France, Poland and Finland — published Joint Cybersecurity Advisory AA26-194A, "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting." The same day, the UK and EU announced their first-ever joint cyber sanctions package, formally attributing a failed December 29, 2025 attack on Poland's power grid to the FSB's Center 16 unit — also tracked in industry reporting as Berserk Bear, Energetic Bear, Dragonfly and Static Tundra (NCSC, July 13, 2026).
The technical story is unglamorous, which is precisely the point. Center 16 operators scan the open internet for routers still running SNMP with default or weak community strings, then issue SNMP Set-Requests that abuse Cisco's CISCO-CONFIG-COPY-MIB function to exfiltrate device configurations over TFTP — a protocol designed in the 1980s with no authentication. Where that fails, they fall back on unpatched Cisco Smart Install exposure. None of this requires a zero-day. It requires an administrator who never changed a factory password (NCSC advisory).
The stakes are not abstract. The Poland attack deployed data-wiping malware against more than 30 wind and solar farms, a combined heat-and-power plant and a manufacturing site — an operation UK officials say could have cut electricity to roughly 500,000 people in the depth of winter had it succeeded (gov.uk, July 13, 2026). It was initially misattributed to the Sandworm unit by private researchers before Poland's CERT traced it back to Center 16 — itself a reminder that attribution in this space is slow, contested, and easy to get wrong even for well-resourced defenders.
The Case for Going Further
There is a real argument that advisories and sanctions are not enough. Critical infrastructure operators have had SNMPv3 available — with proper authentication and encryption — for over two decades, and default-credential compromises keep happening anyway, which suggests voluntary hygiene guidance has hit its ceiling. Proponents of binding rules, such as the EU's NIS2 Directive (2022/2555) already imposing cybersecurity risk-management duties on energy and communications operators, could reasonably argue that a decade-plus campaign against the same known weaknesses justifies mandatory configuration audits, device certification requirements, or liability for operators who leave management interfaces internet-facing. That case deserves a fair hearing: repeated failure of voluntary compliance is exactly the pattern that regulatory mandates exist to correct.
Why Advisory-Plus-Sanctions Is Still the Right Calibration
Even so, the response the allies actually chose is the proportionate one, and it should be preferred over a rush toward new hardware mandates. AA26-194A does not compel anything — it names the exact abused function (CISCO-CONFIG-COPY-MIB), the exact protocol weakness (unauthenticated TFTP), and the exact fix (SNMPv3, disabling Smart Install, restricting management-plane access to trusted networks). That is a far more useful intervention than a generic certification regime, because it's actionable within days rather than years, and it doesn't burden the thousands of smaller ISPs and municipal utilities running perfectly serviceable Cisco gear that simply needs reconfiguring, not replacing.
The sanctions leg is similarly targeted rather than sweeping. The UK designated 24 individuals and entities; the EU Council sanctioned nine individuals and four entities — thirteen targets in total, including bulletproof-hosting provider Media Land LLC and its owner, plus the hacktivist front group Z-Pentest (Council of the EU, July 13, 2026). Naming specific enablers — hosting providers, front companies, individual officers — imposes real travel and asset costs on the people who keep this infrastructure running, without the collateral damage of broad sectoral sanctions that would mostly hit Russian civilians and third-country businesses.
The Honest Limits
None of this will stop Center 16 outright, and pretending otherwise would be dishonest. FSB officers sanctioned by the UK and EU are not going to show up at a Brussels airport. As Foreign Secretary Yvette Cooper put it, the goal is to strip away the "proxy groups" Russia hides behind, not to end the underlying intelligence campaign (gov.uk). Deterrence here works cumulatively — raising the operational cost of front companies and hosting providers over years — not through any single package.
The Better Lever
The more consequential policy question is not whether governments should sanction harder, but whether operators will actually act on AA26-194A's specific, low-cost guidance. A decade of identical warnings about default SNMP credentials suggests attribution alone hasn't driven patching. That points toward sector-specific enforcement of existing frameworks like NIS2 — auditing whether energy and communications operators have actually disabled legacy SNMP and closed exposed management interfaces — rather than writing new device-design mandates that arrive years after today's routers are already deployed. Proportionate regulation means using the tools that match the actual failure: this was a hygiene gap, not a market-design defect, and the fix belongs in enforcement of what already exists.