Russian government hackers broke into thousands of home routers to steal passwords

A group of Russian government hackers have hijacked thousands of home and small business routers around the world as part of an ongoing campaign aimed at redirecting a victim’s Internet traffic to steal their passwords and access codes, security researchers and government authorities warned Tuesday.

This is the latest tactic of the long-standing Russian hacking group known as Fancy Bear, or APT 28, known for high-profile hacking and espionage operations, including the hack of the Democratic National Committee in 2016 and a devastating hack that hit satellite provider Viasat in 2022. Fancy Bear is widely believed to be part of the Russian intelligence agency GRU.

The hacking group targeted unpatched routers made by MicroTik and TP-Link using previously disclosed vulnerabilities, according to the UK government’s cybersecurity unit NCSC and Lumen Black Lotus Labs’ research arm, which released new details of the campaign on Tuesday.

According to the researchers, hackers were able to spy on large numbers of people over the course of several years by penetrating their routers, many of which operate with outdated software, making them vulnerable to remote attacks without the knowledge of their owners.

NCSC said these operations “are likely to be opportunistic in nature, with the actor casting a wide net to reach many potential victims, before narrowing in on targets of intelligence interest as the attack evolves.”

According to researchers and government advice, Russian hackers compromised routers to modify device settings so that the victim’s Internet requests were surreptitiously passed to infrastructure operated by the hackers. This allows hackers to redirect victims to fake websites under their control, then steal passwords and tokens that allow hackers to log into the victim’s online accounts without needing their two-factor authentication codes.

Black Lotus Labs said Fancy Bear compromised at least 18,000 victims in about 120 countries, including government departments, law enforcement agencies and email service providers across North Africa, Central America and Southeast Asia.

Microsoft, which also published details of the campaign on Tuesday, said in a blog post that its researchers identified more than 200 organizations and 5,000 consumer devices affected by these hacks, including at least three government organizations in Africa.

The FBI is expected to announce the removal of several domains used in this campaign by hackers. Lumen said it was part of a coalition, including the FBI, that disabled the botnet and took it offline.

An FBI spokesperson did not respond to requests for comment before publication.