On July 9, 2026, the National Security Agency (NSA) and 18 other domestic and international cybersecurity agencies jointly published Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting, an advisory detailing Cisco-focused activity attributed to Energetic Bear, a threat actor linked to Russia’s Federal Security Service (FSB).
Energetic Bear, also known as Dragonfly, Ghost Blizzard, and Crouching Yeti, is a state-backed actor that has been active since at least 2010. Known for targeting the energy sector, this sophisticated group has historically relied on well-known n-day vulnerabilities in client-side attacks, including CVE-2012-1723 in the Java Runtime Environment, CVE-2012-4792 in Internet Explorer, and CVE-2011-0611 in Adobe Flash Player.
Sophisticated State Actor, Unsophisticated Technique
The activity described in the NSA advisory is not sophisticated. Rather than exploiting users, Energetic Bear scans the internet for exposed Cisco SNMP services, guesses weak or default community strings, and uses legitimate configuration-copy functionality to retrieve running configurations. Metasploit has included a module implementing this technique since at least 2010.
Running configurations can expose credentials, internal addressing, routing relationships, access-control rules, and other details useful for expanding access into the victim network. Metasploit even includes a separate module for importing and parsing stolen Cisco IOS configurations. The offensive value of these files has been understood for a long time.
The problem isn't understanding why Energetic Bear is doing this. It's identifying the systems that remain vulnerable to it.
Finding Exposed Cisco SNMP With Target Intelligence
VulnCheck Target Intelligence approaches the internet with the same basic question Energetic Bear asks: where are the vulnerable systems? For this advisory, that becomes even more specific: which Cisco devices are exposing SNMP to the public internet?
A single Target Intelligence API query surfaces Cisco devices observed responding to SNMP on the public internet:
https://api.vulncheck.com/v3/index/target-intel?protocol=snmp&vendor=cisco
At the time of our analysis, the query returned thousands of Cisco SNMP endpoints. Given Energetic Bear’s continued success, the result is not especially surprising.
The example below shows a Cisco C800 series router running IOS 15.3(3)M6, a software release that reached its last date of support more than five years ago. The system is publicly reachable over SNMPv2c and responds to the default public community string. Target Intelligence also maps the observed software to associated vulnerabilities and enriches the device with network ownership and location data.
The associated CVE array was omitted for brevity.
{
"ip": "94.77.200.34",
"hostname": "94-77-200-34.static.go.com.sa",
"port": 161,
"timestamp": "2026-07-09T01:30:34.049Z",
"protocol": "snmp",
"cpe": [
"cpe:2.3:o:cisco:ios:15.3:*:*:*:*:*:*:*"
],
"cve": [
"truncated"
],
"vendor": [
"cisco"
],
"product": [
"ios"
],
"version": [
"15.3"
],
"asn": "AS47794",
"as_name": "Etihad GO Company For communications",
"as_domain": "go.com.sa",
"country": "Saudi Arabia",
"country_code": "SA",
"metadata": {
"community": "public",
"engine_enterprise_id": 9,
"snmp_version": "v2c",
"sys_descr": "Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1)\r\nTechnical Support: http://www.cisco.com/techsupport\r\nCopyright (c) 1986-2015 by Cisco Systems, Inc.\r\nCompiled Tue 04-Aug-15 05:50 by prod_rel_team",
"sys_object_id": "1.3.6.1.4.1.9.1.1852"
}
}
This is exactly the kind of externally exposed device Energetic Bear is looking for.
From Energetic Bear CVEs to Exposed Systems
The advisory also identifies two Cisco vulnerabilities used by Energetic Bear.
The first, CVE-2018-0171, has repeatedly appeared in state-sponsored activity. A similar 2025 joint advisory, Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System, also documented its use by PRC state-sponsored actors associated with Salt Typhoon.
The second, CVE-2008-4128, is old enough that defenders might reasonably assume affected systems have disappeared from the internet. Target Intelligence suggests otherwise.

At the time of writing, a simple query returned hundreds of observed systems whose detected software mapped to CVE-2008-4128:
https://api.vulncheck.com/v3/index/target-intel?cve=CVE-2008-4128
One result is a Cisco 1841 router in Venezuela running IOS 12.4(1c), software compiled in October 2005. Target Intelligence identifies the system as internet-exposed, maps its detected software to CVE-2008-4128, and provides network ownership and location context users can use to investigate further.
Additional mapped CVEs were omitted for brevity.
{
"ip": "200.109.233.234",
"hostname": "200.109.233-234.cnt-02.rai.cantv.net",
"port": 161,
"timestamp": "2026-07-09T03:01:14.655Z",
"protocol": "snmp",
"cpe": [
"cpe:2.3:o:cisco:ios:12.4:*:*:*:*:*:*:*"
],
"cve": [
"CVE-2008-4128"
],
"vendor": [
"cisco"
],
"product": [
"ios"
],
"version": [
"12.4"
],
"asn": "AS8048",
"as_name": "CANTV Servicios, Venezuela",
"as_domain": "cantv.com.ve",
"country": "Venezuela",
"country_code": "VE",
"metadata": {
"community": "public",
"engine_enterprise_id": 9,
"snmp_version": "v2c",
"sys_descr": "Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)\r\nCopyright (c) 1986-2005 by Cisco Systems, Inc.\r\nCompiled Tue 25-Oct-05 17:10 by evmiller",
"sys_object_id": "1.3.6.1.4.1.9.1.620"
}
}
The advisory tells organizations what to fix, but that assumes they already know which systems are exposed. Many clearly do not. Internet exposure data has existed for years, yet translating that data into vulnerability context and applying it to a specific advisory can still require significant expertise or a mature exposure management program.
That is the gap VulnCheck Target Intelligence is intended to close. Defenders can move directly from an advisory to a simple query for the affected protocol, vendor, or CVE and surface the systems that warrant investigation. Advisories describe the risk. Accessible, vulnerability-aware exposure data makes the guidance actionable.
About VulnCheck
VulnCheck empowers organizations to transcend the challenges of vulnerability prioritization. Our suite of solutions provides product managers, PSIRT teams, and threat hunters with the tools required for accelerated, high-precision operations and infinite efficiency.
Recognizing the industry-wide necessity for superior data velocity and accuracy, we deliver high-fidelity insights to the market. We remain committed to surfacing critical intelligence on vulnerability exploitation and emerging trends, leveraging our unique dataset to support the practitioner community.