A Russian government hacking group has seized control of thousands of home and small business routers worldwide, aiming to redirect internet traffic to steal passwords and access tokens, according to security researchers and government warnings. The group, known as Fancy Bear or APT 28, has a history of high-profile hacks, including attacks on the Democratic National Committee in 2016 and the Viasat satellite provider in 2022. Fancy Bear is believed to be part of Russia’s GRU intelligence agency.
The hackers targeted unpatched routers by MicroTik and TP-Link using known vulnerabilities, as per the U.K. cybersecurity unit NCSC and Lumen’s Black Lotus Labs, which revealed new campaign details. Researchers indicated the hackers spied on numerous people over years by exploiting routers with outdated software, leaving them open to remote attacks unknowingly.
The NCSC described the operations as opportunistic, aiming at many potential victims before focusing on intelligence targets. The Russian hackers hijacked routers to alter settings, secretly rerouting internet requests through hacker-operated infrastructure. This enabled them to redirect victims to fake websites, stealing passwords and tokens necessary for logging into victims’ accounts without needing two-factor authentication.
Black Lotus Labs reported Fancy Bear compromised at least 18,000 victims in around 120 countries, including government departments, law enforcement, and email providers across North Africa, Central America, and Southeast Asia.
Microsoft revealed its research identified over 200 organizations and 5,000 consumer devices affected, including at least three government organizations in Africa. The FBI plans to announce the shutdown of domains used in the campaign and Lumen noted its participation with the FBI in disrupting the botnet.
The FBI spokesperson declined to comment before publication.