Security researchers and government agencies have uncovered a massive, long-running cyberattack campaign involving the hijacking of thousands of home and small business routers. The operation, linked to the Russian state-sponsored group Fancy Bear (APT 28), was designed to intercept internet traffic and steal passwords and access tokens from unsuspecting users worldwide.
The Mechanics of the Attack: How Routers Become Spyware
The hackers did not target individual computers directly; instead, they compromised the entry point of the network: the router. By exploiting unpatched vulnerabilities in devices manufactured by MikroTik and TP-Link, the attackers gained control over the hardware itself.
Once a router was compromised, the hackers modified its settings to perform a “man-in-the-middle” style redirection. This process works as follows:
1. Traffic Redirection: The victim’s legitimate internet requests are surreptitiously routed through infrastructure controlled by the hackers.
2. Spoofing: Users are directed to fake versions of legitimate websites (such as email providers or banking portals).
3. Credential Theft: When users enter their login details, the hackers capture their passwords and session tokens.
Why this matters: By stealing session tokens, hackers can bypass two-factor authentication (2FA). This allows them to hijack active online accounts without ever needing the victim’s secondary security code, rendering one of the most common modern defenses ineffective.
A Global Scale: From Households to Government Agencies
The scale of the operation is vast, characterized by what experts call an “opportunistic” approach. Rather than targeting specific individuals from the start, the hackers cast a wide net to infect as many devices as possible, later filtering through the data to find high-value targets.
Data from various research bodies highlights the breadth of the infection:
– Black Lotus Labs (Lumen): Identified at least 18,000 victims across approximately 120 countries, including law enforcement, government departments, and email providers in North Africa, Central America, and Southeast Asia.
– Microsoft: Reported identifying over 200 organizations and 5,000 consumer devices affected, including at least three government entities in Africa.
The Actors Behind the Campaign
The group identified as the perpetrator is Fancy Bear, also known as APT 28. This group is widely believed to be affiliated with Russia’s military intelligence agency, the GRU.
Fancy Bear has a documented history of high-stakes espionage and disruptive operations, most notably:
* The 2016 breach of the Democratic National Committee (DNC) in the United States.
* The 2022 destructive hack targeting the satellite provider Viasat.
Countermeasures and Disruption
In response to the campaign, a global coalition including the FBI and Lumen has taken steps to disrupt the hackers’ infrastructure. This effort included taking a large-scale botnet offline and disrupting several domains used to facilitate the attacks.
The primary takeaway for users is the critical importance of hardware maintenance. Because the attackers relied on outdated software and unpatched vulnerabilities, many of these devices remained vulnerable for years without the owners’ knowledge.
Conclusion: This campaign demonstrates how attackers are increasingly targeting network infrastructure rather than end-user devices to bypass modern security layers like 2FA. Maintaining up-to-date firmware on all internet-connected hardware remains a vital defense against such sophisticated state-sponsored threats.
