Russian hackers hijacked thousands of home routers to steal passwords, researchers say
Russian government hackers hijack routers in broad espionage campaign
Russian government hackers have compromised thousands of home and small business routers worldwide in an effort to steal passwords and authentication tokens, according to security researchers and U.K. authorities.
The campaign is tied to Fancy Bear, also known as APT28, a long-running hacking group widely believed to operate under Russia’s GRU intelligence agency. The group has a history of high-profile intrusions, including the 2016 breach of the Democratic National Committee and the destructive 2022 attack on satellite provider Viasat.
Researchers at Lumen’s Black Lotus Labs and the U.K. government’s National Cyber Security Centre said the hackers targeted unpatched MicroTik and TP-Link routers using previously disclosed vulnerabilities. Many of the affected devices were running outdated software, allowing attackers to break in remotely without the owners’ knowledge.
Once inside, the hackers changed router settings so that victims’ internet requests were quietly routed through infrastructure controlled by the attackers. That setup let them steer users toward spoofed websites and capture credentials and tokens that could be used to access online accounts, even without two-factor authentication codes.
The NCSC said the activity is “likely opportunistic in nature,” with attackers casting a wide net before narrowing in on targets of intelligence interest. Black Lotus Labs said Fancy Bear compromised at least 18,000 victims in about 120 countries.
Among those affected were government departments, law enforcement agencies and email providers across North Africa, Central America and southeast Asia.
The findings add to a growing body of evidence that ordinary network hardware remains a valuable target for state-backed espionage. In this case, the compromise of a router was enough to give attackers a way to observe traffic, redirect users and harvest the login data needed to break into accounts elsewhere.
Sources:
Browse privately with Doppler VPN — no logs, one tap connect.