The U.S. Federal Bureau of Investigation (FBI), in coordination with several international intelligence agencies, has issued a security alert warning that hackers linked to Russia’s Main Intelligence Directorate (GRU) are exploiting global router vulnerabilities to steal sensitive data from military, government, and critical infrastructure sectors.
The hacking group, known in the cybersecurity community as "APT28," "Fancy Bear," or "Forest Blizzard," has been active since 2024. The group has been targeting routers from brands such as TP-Link, leveraging a vulnerability tracked as CVE-2023-50224 to gain unauthorized control over the devices.
DNS Hijacking and Man-in-the-Middle Attacks
By tampering with the Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings on compromised routers, the hackers redirect network traffic to servers under their control. Smartphones, computers, and other devices connected to these routers automatically inherit these malicious configurations, causing all network queries to be intercepted.
This allows the hackers to return forged DNS responses, tricking users into visiting malicious websites. When users ignore browser security certificate warnings and proceed, the attackers can intercept encrypted traffic, enabling them to harvest passwords, authentication tokens, and sensitive email data.
The U.S. Department of Justice and the FBI recently succeeded in dismantling the malicious infrastructure used by the group to carry out these DNS hijacking operations. The operation was supported by intelligence agencies from Canada, Germany, Norway, and Ukraine.
The FBI advises users of Small Office/Home Office (SOHO) routers to take immediate protective measures, including updating firmware to the latest version, changing default login credentials, and disabling remote management ports. For older devices that are no longer supported by manufacturers, officials strongly recommend replacing the hardware entirely.
For enterprise users, the FBI suggests reviewing remote work security policies and mandating the use of Virtual Private Networks (VPNs) for accessing sensitive data. Organizations or individuals who suspect they have been targeted should immediately report the incident to their local FBI field office or the Internet Crime Complaint Center (IC3), including specific details regarding their router model and configuration.