A group of Russian government hackers has hijacked thousands of home and small business routers around the world as part of an ongoing campaign aimed at redirecting victims’ internet traffic and stealing passwords and access tokens, security researchers and government officials warned Tuesday.
This is the latest tactic by the long-running Russian hacker group known as Fancy Bear (APT 28), known for high-profile hacking and espionage operations, including the 2016 Democratic National Committee breach and the devastating hack of satellite provider ViaSat in 2022. Fancy Bear is widely believed to be a member of the Russian intelligence agency GRU.
The hacker group exploited previously disclosed vulnerabilities to target unpatched routers from MicroTik and TP-Link, the UK government’s cybersecurity arm NCSC and Lumen’s research arm Black Lotus Labs released new details of the campaign on Tuesday.
Researchers say hackers were able to spy on large numbers of people over several years by compromising routers, many of which were running outdated software and vulnerable to remote attacks without their owners’ knowledge.
The NCSC said these operations were “likely to be opportunistic in nature, with the attackers casting a wide net to reach many potential victims before narrowing in on targets of interest to intelligence agencies as the attack unfolds.”
According to researchers and government recommendations, Russian hackers hacked routers and changed device settings so that victims’ internet requests were secretly passed to infrastructure run by the hackers. This allows the hacker to redirect the victim to a spoofed website under their control, steal passwords and tokens, and allow the hacker to log into the victim’s online accounts without requiring a two-factor authentication code.
According to Black Lotus Labs, Fancy Bear affected at least 18,000 victims in approximately 120 countries, including government agencies, law enforcement agencies, and email providers in North Africa, Central America, and Southeast Asia.
tech crunch event
San Francisco, California
|
October 13-15, 2026
Microsoft also released details about the campaign on Tuesday, saying in a blog post that its researchers had identified more than 200 organizations, including at least three government agencies in Africa, and more than 5,000 consumer devices affected by these hacking operations.
The FBI is expected to announce the takedown of several domains used by the hackers in this campaign. Lumen said it was part of a coalition that included the FBI that took down the botnet and took it offline.
An FBI spokesperson did not respond to a request for comment before publication.
Source link
