A group of Russian government-backed hackers has taken control of thousands of home and small business routers worldwide in an ongoing campaign designed to intercept internet traffic and steal sensitive login data, according to security researchers and government officials.
The activity has been linked to Fancy Bear, also known as APT28, a well-known hacking group believed to be part of Russia’s GRU intelligence agency. The group has a long history of major cyber operations, including the 2016 breach of the Democratic National Committee and the 2022 cyberattack on satellite provider Viasat.
In this latest campaign, the hackers focused on unpatched routers from brands like MikroTik and TP-Link, taking advantage of known vulnerabilities that had not been fixed by users. According to the UK’s National Cyber Security Centre and researchers from Lumen’s Black Lotus Labs, these weaknesses allowed attackers to quietly compromise devices that were still running outdated software.
Once inside, the hackers were able to monitor internet activity over extended periods without the knowledge of the device owners. Many of these attacks were broad at first, targeting large numbers of potential victims before narrowing down to specific high-value targets as needed.
The attackers modified router settings so that internet traffic from infected devices was secretly routed through infrastructure controlled by the hackers. This made it possible to redirect users to fake websites designed to look legitimate, allowing the attackers to capture passwords and authentication tokens. With this access, they could log into accounts without needing two-factor authentication codes.
Researchers said the campaign affected at least 18,000 victims across roughly 120 countries, including government agencies, law enforcement bodies, and email service providers in regions such as North Africa, Central America, and Southeast Asia.
Microsoft, which also investigated the activity, reported that more than 200 organizations and 5,000 consumer devices were impacted, including several government entities in Africa.
Authorities have started taking action against the operation. The FBI is expected to announce the seizure of domains used by the hackers, while Lumen confirmed it worked with a broader coalition to disrupt the botnet and take it offline.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Later on Tuesday, the U.S. Justice Department said it had neutralized compromised routers located within the United States after obtaining court approval. The FBI carried out the operation by sending commands to infected devices to collect evidence, reset their configurations, and block the attackers from regaining access.
