The router is usually left out of our attention: we install it, check that there is a connection and let it continue working for months or years. However, that small piece of equipment that connects a home or office with the Internet can also become a useful piece for those seeking to hide their operations. The problem is not in what we see, but in what can happen in the background when the configuration is weak or the firmware becomes outdated. And there begins a story that no longer only affects security specialists.
The hiding place was in the router. That possibility ceased to be an abstract warning on July 13, 2026. CISA, the United States Cybersecurity and Infrastructure Security Agency, warned that Actors from Center 16 of the FSB, the Russian security service, continue to exploit vulnerable or misconfigured network devices in different countries. According to the notice, this activity has already allowed networks in several critical infrastructure sectors to be compromised. The warning was issued jointly with organizations in Australia, Denmark, New Zealand and the United Kingdom.
A borrowed identity. The goal is not to stay on the router, but to use it as an intermediary for other operations. When traffic passes through a device installed in a home or small office, the connection may appear to be that of any legitimate user. It is what is known as residential proxy– A domestic connection used as an intermediary to hide where the attacker is actually acting from. For an organization’s defenses, distinguishing at first glance between a normal connection and malicious activity is much more difficult.
Tracking begins on the Internet. To find new devices, attackers scan IP address ranges looking for routers with SNMP agents assets, a protocol used to query and manage computers connected to a network. The risk appears when that service is exposed and accepts common credentials or those that were configured at the factory. In that scenario, the team may respond to someone who should not have access. The first step is, therefore, to locate which ones are still advertising on the Internet with a weak configuration.
From objective to tool. Finding an exposed router is not enough to control it. According to CISA, the actors send malicious traffic with spoofed source IP addresses and leverage the misconfigured SNMP agent to execute malware on the device. They also do so from networks made up of other already compromised routers, so that the system feeds itself. The process has three phases: first they find the equipment, then they exploit its configuration and, finally, they incorporate it into the network from which they will continue searching for new targets.
The attack comes from another house Once incorporated into this network, the router begins to act as an exit node, that is, as the last visible point before the traffic reaches the target. To the person receiving the connection, the activity does not appear to come from systems linked to the FSB, but rather from a legitimate-looking IP address. This coverage can reduce the chances of automatic blocking and complicates the work of those trying to reconstruct the route to those responsible for the operation.
A chase that never ends: The usefulness of this network of intermediaries is better understood when we look at its possible destinations. CISA points to communications networks, defense, energy, financial services and public organizations, all sectors where an apparently legitimate connection can facilitate probes or subsequent attacks. The phenomenon, furthermore, did not begin with this warning: Russian and Chinese actors have been fighting and reusing compromised routers for years. Although governments and companies have managed to disinfect devices and dismantle botnets, their operators usually rebuild them by incorporating new equipment.
Close the door. CISA recommends disabling SNMP 1 and 2, versions that do not encrypt passwords or incorporate current protections, and using SNMP 3 only when necessary. If we do not use this protocol to manage the network, the safest option is to turn it off completely. The agency also advises disabling Cisco Smart Install, replacing weak credentials, installing firmware updates, and limiting other unnecessary network protocols. The router can go unnoticed for years, but that does not mean that we should leave it running without maintenance.
Images | Xataka with Nano Banana

GIPHY App Key not set. Please check settings