Daylila

Cybersecurity · Tuesday, 14 July 2026

01 · Briefing · what happened

The EU and UK named Russia's hackers — and 13 governments warned they're living in the world's routers

Cybersecurity 4 min 31 sources

Europe imposed its first joint cyber sanctions on Russian intelligence officers the same day the US and a dozen allies warned that the same group is quietly living inside routers worldwide, exploiting weak passwords and flaws left unpatched since 2008.

Key takeaways

  • Britain and the EU imposed their first joint cyber sanctions on Russian intelligence officers, while the US and twelve allies warned the same hackers are breaking into critical networks through routers worldwide.
  • The way in is dull on purpose: default passwords, plain-text protocols, and flaws left unpatched since 2008 — because the router facing the internet is the one device no security tool watches.
  • The same blind spot showed up all week: a file-sharing appliance told customers to shut it down, a global campaign hit forgotten website plugins, and a lab breach exposed 540,000 people's medical records.

Monday was a coordinated day against Russia’s state hackers. The European Union, its member governments and the United Kingdom sanctioned Russian individuals and organisations over a years-long spying campaign [13]. Hours later, the United States and twelve other countries put out a joint technical warning that the same kind of Russian unit is breaking into critical networks around the world — through the routers almost no one thinks to defend [8][14].

Naming the spies, and blaming them for the lights

The EU sanctioned nine Russian individuals and four organisations; the UK named 24 people and entities [13][6]. It was the first time the two have imposed cyber sanctions together [6][13]. Most of the action took aim at Center 16 of Russia’s Federal Security Service, the FSB — the intelligence arm behind a hacking group tracked under a pile of names, most commonly Turla [13].

The EU said the Turla campaign has run since 2010, when it first hit the French government, and has since reached Germany, Poland, the Netherlands, Austria, Finland and others [13]. Officials also formally blamed FSB Center 16 for last winter’s attack on Poland’s power grid — one they said could have cut heat to about 500,000 people in the cold [13][6]. Sanctions can’t arrest an intelligence officer sitting in Moscow. What they do is strip the anonymity: put the names on paper, freeze any assets in reach, and make travel and money harder for the people involved [13].

The way in: the box in the closet

The technical warning, issued the same day, is the more useful half for anyone who runs a network [8]. Thirteen governments said FSB Center 16 hackers — also tracked as Berserk Bear, Energetic Bear and Static Tundra — have spent years breaking into critical infrastructure by going after networking gear: routers and the equipment that shuttles traffic in and out [8][14].

The method is unglamorous, which is the point. The attackers scan the open internet for routers still using default or weak passwords [14][8]. Many run an old management protocol, SNMP, in versions that send their passwords across the network in plain text — readable by anyone listening [14]. With one of those passwords, an attacker can quietly tell the router to copy out its own configuration and ship it to a server they control [14]. They have also used flaws in Cisco equipment that are strikingly old: one from 2018, and one from 2008 — a patch for the 2018 bug has existed since the day it was disclosed [8].

Why routers? Because they are the devices security tools ignore. No antivirus runs on your router. Nobody watches its logs. It sits facing the whole internet, switched on for years, and most people forget it is a computer at all. The affected sectors read like a list of everything that matters: defence, communications, energy, finance, government and healthcare [8][14][6]. The US National Security Agency’s advice was blunt — “basic router hygiene” is what deters a state-level attacker [6]. Change default passwords, turn off features you don’t use, keep firmware current, and watch for logins you can’t explain [8].

The same blind spot, three times this week

The router warning wasn’t the only reminder that danger lives in the infrastructure nobody’s looking at. Progress Software told ShareFile customers on July 10 that it had spotted “a credible external security threat” against the Storage Zone Controllers that hold their private files [5]. The company temporarily cut off access and — unusually — asked customers to manually shut down the servers running that software [5]. Progress said it had no evidence anyone reached customer data, but three days later it still hadn’t posted an update, leaving users guessing [5]. ShareFile is the same product family as MOVEit, the file-transfer tool at the centre of one of 2023’s largest breaches — another edge appliance that turned into a front door.

Australia’s cyber agency, meanwhile, warned on July 9 of a “highly scaled” global campaign scanning websites for flaws in the content-management systems that run them — WordPress, Joomla and others — and their bolt-on plugins [1]. One Joomla extension flaw, in a form-builder called Balbooa Forms, scored a perfect 10 for severity and was being exploited before a patch existed [2][1]. Attackers who succeed plant a “webshell” — a hidden control panel that lets them run commands on the server and use it to burrow deeper [1]. The vulnerable pieces were, again, the add-ons people install and forget.

One breach that lands closer to home

Not everything this week was infrastructure. A US medical testing firm, Centers Laboratory, disclosed a breach affecting about 540,000 people [19]. Medical breaches are worth more to criminals than a leaked password, because the data — names, insurance details, test records — can’t be reset. If you’re notified you were affected, the useful move isn’t panic; it’s watching for phone calls or emails that quote real details about you to seem trustworthy, and treating any “verify your account” message that follows a breach as a likely scam.

The thread running through all of it: the weak spot is rarely the thing you stare at. It’s the router in the cupboard, the appliance you bought once, the plugin you installed and forgot. Attackers have simply learned to move into the rooms your cameras don’t cover.

02 · Lesson · why it matters

The danger moves to wherever you stopped looking

Defenses cluster where we pay attention — so the break-in comes through the part of the system we long ago stopped thinking about.

The same day Europe put the names of Russian intelligence officers on paper, thirteen governments warned that those same hackers were living somewhere ordinary: inside routers. Not stolen through some dazzling new trick. In through devices running weak passwords and a flaw first disclosed in 2008 — with a fix that has existed just as long. The break-in was not clever. It was patient, and it happened in a place no one was watching.

That gap — between where we guard and where we get hit — is the whole story.

We built our defenses around the things we touch

Think about what “being careful online” has come to mean. You have a password manager. You turned on the second check for your email. Your phone updates itself. Your work laptop runs software that scans for viruses and flags a bad link. All of it points at the parts of your life you handle every day — the accounts, the screens, the logins.

None of it points at the router.

The router is a small computer that sits between you and the whole internet, switched on every hour of every year. No antivirus runs on it. No one reads its logs. Most people never open its settings after the day it was plugged in, and would struggle to say what version of anything it runs. It is the most exposed machine you own and the least watched. The same is true, at a bigger scale, of the appliances a hospital or a power company installs once and forgets — the file-transfer box, the network gear, the plugin bolted onto a website years ago.

Security became a set of things we do to the front of the house. The plumbing got left to whoever installed it.

An attacker doesn’t want a fight. It wants a quiet room

Here is why the blind spot matters so much. A strong lock, guarded and watched, is a fight — and a fight gets noticed. An unwatched device is not a fight. It is a place to move in and stay.

The Russian group Europe just sanctioned has been at this since 2010. That is the tell. Their advantage was never speed; it was patience. And patience only works if no one is looking. You cannot sit inside a laptop for years — someone runs a scan, something flags it, the machine gets replaced. You can sit inside a router for years, because a router is furniture. It hums in a cupboard and no one ever thinks to ask what it’s doing.

So the attack doesn’t go where the wall is weakest. It goes where the wall isn’t watched. Those are different things, and confusing them is how a network with excellent defenses still loses.

”It just works” is a decision, not a fact

It feels like a law of nature that the router just works and doesn’t need your attention. It isn’t. It’s a choice — one made mostly by not deciding. We spent our attention where the fear was loud: passwords, phishing, the accounts we log into. The infrastructure that carries all of it drew none of that attention because it never demanded any. It asked for nothing, so it got nothing.

That arrangement genuinely serves us. Nobody could function if they had to actively think about every device that touches their data. Forgetting the plumbing is what lets us use the water. But the same forgetting is exactly the room the attacker walks into. Both are true at once — the convenience and the exposure are the same act. Naming that isn’t blame. It’s just seeing the shape of the thing.

The blind spot is in your house too

It is tempting to file this under “governments and power grids” and move on. Don’t. The router the Russian hackers hunt for — old firmware, a default or reused password, facing the open internet — is very likely the one behind your television. The flaw left unpatched since 2008 is a version of the update you’ve been ignoring on the box in your hallway.

You are not watching a distant war between states. You are standing inside the same pattern, at a smaller scale, with the same unwatched device. The power company’s forgotten appliance and your forgotten router are running the same story. The only real difference is what’s on the other side of the door.

The whole is bigger than the part you’re guarding

The uncomfortable truth underneath all of this is simple: the map of “what I’m protecting” is always smaller than the system I actually depend on. We guard what we can see and think about, and we depend on far more than that — the routers, the appliances, the quiet software that carries everything and asks for nothing.

You can’t watch all of it. No one can; that’s not the point. The point is to hold the feeling of “I’m covered” a little more loosely — to remember that the parts you’ve stopped noticing are still there, still on, still connected to everything else. The danger was never only where you were looking. It rarely is.

03 · Lab · your turn

Where Do You Look?

Spend limited defensive attention across a network and watch the attacker walk in through whichever device you left unwatched.

04 · Hope · carry this

There is comfort hidden inside the warning. If a state's best hackers get in through a forgotten password, then the defense is something an ordinary person can actually do — and thirteen governments just published, for free, exactly where to look.

Across the beats