According to a joint report released Tuesday by the UK's National Cyber Security Centre (NCSC) and security firm Black Lotus Labs, the Russian hacking group "Fancy Bear"—also known as APT28—is conducting a large-scale cyber-espionage campaign targeting home and small-business routers. By hijacking network traffic, the group is attempting to harvest user passwords and authentication tokens.
Attacks Targeting Unpatched Devices
The research indicates that APT28 is primarily targeting routers manufactured by MikroTik and TP-Link. Most of these devices are running outdated firmware with publicly disclosed security flaws. Hackers are leveraging these vulnerabilities to gain remote control over the devices, often leaving users completely unaware that they have been compromised.
The NCSC noted in its advisory that the group’s operations are highly "opportunistic." Hackers typically begin by performing broad scans to identify a large pool of potential targets, subsequently filtering for high-value intelligence targets as they deepen their infiltration.
APT28 is widely believed to be a unit of the GRU, Russia's military intelligence agency. The group has been linked to several high-profile cyberattacks, including the 2016 hack of the Democratic National Committee (DNC) servers and the disruptive 2022 cyberattack against satellite service provider Viasat.
Researchers discovered that this router-based campaign has been ongoing for several years. By seizing control of these routers, the hackers are able to maintain long-term surveillance over a vast number of users and intercept sensitive data traffic.
Security agencies have issued an urgent warning, urging users to update their router firmware immediately to patch known vulnerabilities and avoid becoming the next victim of this espionage campaign.
