A group of Russian government-backed hackers has hijacked thousands of home and small business routers across the world in a sweeping cyber campaign aimed at redirecting internet traffic to steal passwords and access tokens, security researchers and government authorities warned on Tuesday. The operation, which has affected victims across multiple regions, underscores growing concerns over the vulnerability of everyday internet devices.
The campaign has been linked to the notorious Russian hacking group known as Fancy Bear, also called APT 28, a group widely believed to be affiliated with Russia’s military intelligence agency, GRU. The group has a long history of high-profile cyber espionage, including the breach of the Democratic National Committee in 2016 and the attack on satellite provider Viasat in 2022.
Findings by the United Kingdom’s National Cyber Security Centre and Black Lotus Labs, the research arm of Lumen Technologies, revealed that the hackers exploited previously disclosed vulnerabilities in unpatched routers manufactured by MikroTik and TP Link. By compromising these devices, many of which operate on outdated software, the attackers were able to monitor internet activity over extended periods without the knowledge of device owners.
Investigators disclosed that the hackers altered router settings to secretly route victims’ internet traffic through malicious infrastructure under their control, enabling them to redirect users to fake websites and harvest login credentials. The operation is believed to have affected at least 18,000 victims in about 120 countries, including government agencies and law enforcement institutions. Microsoft also confirmed that more than 200 organisations and 5,000 consumer devices were impacted, with some cases recorded in Africa, as authorities in the United States moved to disrupt the network and neutralise compromised devices.