Russian government hackers, known as Fancy Bear or APT28, have compromised thousands of home and small business routers worldwide to steal passwords and authentication tokens in a broad espionage campaign, according to security researchers and U.K. authorities.[1][2] The group, widely linked to Russia's GRU military intelligence agency, targeted unpatched devices from manufacturers like MikroTik and TP-Link, exploiting previously disclosed vulnerabilities to redirect victims' internet traffic through hacker-controlled servers.[1][3]
This operation, detailed in reports from TechCrunch and the U.K.'s National Cyber Security Centre (NCSC) on April 7, 2026, has affected at least 18,000 victims across 120 countries, including government departments, law enforcement, and email providers in regions such as North Africa, Central America, and Southeast Asia.[1] By modifying DNS settings on these routers—often models like the TP-Link WR841N vulnerable to CVE-2023-50224—attackers intercept requests and route users to fake websites designed to capture credentials, bypassing two-factor authentication.[1][3]
Fancy Bear's tactics mark a continuation of its notorious history, including the 2016 Democratic National Committee breach and the 2022 Viasat satellite hack that disrupted communications during Russia's invasion of Ukraine.[1] The NCSC described the initial router hijackings as "opportunistic," with hackers casting a wide net before focusing on high-value intelligence targets, a method enabled by outdated router firmware and weak default settings that leave many devices exposed without owners' knowledge.[1][3]
The campaign's reach underscores the risks to everyday users and critical infrastructure, as compromised routers grant attackers prolonged, undetected access to spy on cloud services, browser sessions, and applications.[1][6] Black Lotus Labs, Lumen's research arm, and Microsoft Threat Intelligence confirmed activity dating back to at least August 2025, involving virtual private servers repurposed as malicious DNS infrastructure.[1][3]
Those affected include individuals in sectors like aerospace, defense, energy, and government across countries such as the U.S., Ukraine, Poland, and others, amplifying threats to national security and personal data.[1][5] Home and small office routers remain popular targets due to their prevalence and neglect—over 30% reportedly run vulnerable software—highlighting how consumer devices can fuel state-sponsored operations.[4]
In response, the NCSC and partners urge immediate patching of routers, changing default credentials, and monitoring for unusual DNS changes to disrupt the botnet and prevent further exploitation.[1][3] While law enforcement has previously dismantled related GRU networks, such as one using Ubiquiti EdgeRouters, experts emphasize ongoing vigilance as these hackers adapt and persist in their global cyber efforts.[5]