The US State Department has put a $10 million bounty on the heads of three Russians accused of being intelligence agents hacking America's critical infrastructure - primarily via old Cisco kit, it seems.

The alert directly connects them to reports of the Russian Federal Security Service's (FSB) Center 16 - aka Berserk Bear - accused of using a flaw (CVE-2018-0171) Cisco [1]patched in 2018, but attackers recently exploited it in the Salt Typhoon hacking campaign, which the FBI [2]warns stole data from 'nearly every American,' though investigators attribute the attack to the Chinese.

Rrosecutors accuse Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulovof, of targeting over 500 energy companies in 135 countries, using the ancient Cisco flaw to hijack thousands of networking devices to harvest information and install malware.

[3]

"The FSB Center 16 unit conducting this activity is known to cybersecurity professionals by several names, including 'Berserk Bear' and 'Dragonfly,' which refer to separate but related cyber activity clusters," Las Vegas police [4]warned last month.

[5]

[6]

"For over a decade, this unit has compromised networking devices globally, particularly devices accepting legacy unencrypted protocols like SMI and SNMP versions 1 and 2. This unit has also deployed custom tools to certain Cisco devices, such as the malware publicly identified as "SYNful Knock" in 2015."

[7]FBI: Russian spies exploiting a 7-year-old Cisco bug to slurp configs from critical infrastructure

[8]Despite Russia warnings, Western critical infrastructure remains unprepared

[9]If you thought China's Salt Typhoon was booted off critical networks, think again

[10]Feds put $5M bounty on 'CryptoQueen' Ruja Ignatova

The Cisco issue is with the Smart Install feature of Cisco IOS and IOS XE software, a CVSS 9.8 flaw, and one that many end-of-life-kit can't patch. But there's plenty of old kit out there doing its job and flying under sysadmins' radar, and it's this kit the trio are accused of infiltrating.

[11]

Have you seen these men? Probably not, unless you're in Russia - Click to enlarge

In a 2021 [12]indictment the three Russians allegedly targeted oil and gas firms, nuclear plants, and utility and power transmission companies, seeking to map out internal networks for possible future attacks. In a campaign that began in 2012 they targeted over 3,300 people in 500 organisations around the world, it's claimed.

A few years later the US claims they dug deeper, going after specific key individuals with control of critical networks. Over 3,300 people were targeted in 500 organisations around the world.

One target was the Wolf Creek nuclear power plant in Burlington, Kansas. The suspects, it's said, installed snooping software that harvest login credentials of plant operators and it was only when the nuke site's operators called in the FBI that the intrusion was discovered.

[13]

However, as the timeline shows, this was years ago. Quite why the State Department chose this moment to put a sizable bounty on their heads is unclear, since the suspects will presumably avoid US territory and countries that have an extradition treaty with America.

Instead this looks something like a publicity exercise. While it's possible one of the suspects might get caught at an international border if they get sloppy, that's not something the FSB is known to get caught out by.

Cisco has no comment on the matter at time of publication. ®

Get our [14]Tech Resources



[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

[2] https://www.theregister.com/2025/08/28/fbi_cyber_cop_salt_typhoon/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLkO1sq_b6rd0JH_fXrr1QAAANc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://www.ic3.gov/PSA/2025/PSA250820

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLkO1sq_b6rd0JH_fXrr1QAAANc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLkO1sq_b6rd0JH_fXrr1QAAANc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2025/08/20/russian_fsb_cyberspies_exploiting_cisco_bug/

[8] https://www.theregister.com/2024/09/18/russia_west_critical_infrastructure/

[9] https://www.theregister.com/2025/08/28/china_salt_typhoon_alert/

[10] https://www.theregister.com/2024/06/26/fbi_ruja_ignatova/

[11] https://regmedia.co.uk/2025/09/04/russian-fsb-cisco-hackers.jpg

[12] https://www.justice.gov/archives/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLkO1sq_b6rd0JH_fXrr1QAAANc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[14] https://whitepapers.theregister.com/