Invisible Siege: Pro-Russian Hackers Hijack Home Routers in Global Credential Heist

It starts with a blinking light on your home router - nothing out of the ordinary. But behind that innocuous signal, a silent digital invasion is underway. Across continents, homes and businesses alike have fallen victim to a sweeping cyber campaign orchestrated by the infamous Russian-linked group known as APT28, or “Fancy Bear.” Their target: outdated routers, the digital gatekeepers of our daily lives.

Fast Facts

• APT28 (Fancy Bear), a pro-Russian cybercriminal group, has compromised at least 18,000 routers in 120 countries.
• Attackers exploit known vulnerabilities in unpatched MikroTik and TP-Link routers.
• The campaign aims to hijack internet traffic, steal passwords, and bypass even two-factor authentication systems.
• Victims include government agencies, law enforcement, and private individuals worldwide.
• The FBI and international partners are actively dismantling the botnet and securing affected devices.

The scale and sophistication of this attack have alarmed cybersecurity agencies across the US and UK. According to recent analyses, APT28’s latest operation represents an evolution in their tactics - no longer content with targeting high-profile organizations, they now cast a wide net, compromising thousands of routers and quietly redirecting internet traffic through their own malicious infrastructure. Through this covert rerouting, attackers can harvest login credentials and authentication tokens, even circumventing the protections offered by two-factor authentication.

Vulnerable routers - especially older models from MikroTik and TP-Link - are the main entry points. Many of these devices run outdated software, often neglected by owners unaware of the lurking risks. Once compromised, the attackers alter router settings to silently steer users toward counterfeit websites, siphoning off passwords and other sensitive data in the process. This method allows the hackers not only to spy on individuals but also to target strategic organizations, including government agencies and law enforcement in regions as far-flung as North Africa, Central America, and Southeast Asia.

The campaign’s opportunistic nature means no one is safe: initial attacks are broad, but once inside, hackers zero in on targets with greater intelligence value. Microsoft has confirmed the attack’s scale, alerting over 200 organizations and thousands of consumers, including several African government entities.

Authorities are fighting back. In the US, the FBI has seized several domains used in the campaign and, with court authorization, sent commands to neutralize compromised routers on American soil. The Department of Justice has detailed efforts to collect forensic evidence, restore device settings, and lock out the intruders. Internationally, a dedicated task force is racing to dismantle the botnet and protect vulnerable users.

As the digital battle rages on, the message is clear: routers, often overlooked, have become the frontline in a new era of cyber warfare. For individuals and organizations alike, vigilance and regular updates are more essential than ever. In this invisible siege, a simple firmware update may be the difference between safety and surrender.

WIKICROOK

• APT28: APT28, or Fancy Bear, is a Russian state-backed hacking group known for cyber-espionage against Western governments and organizations.
• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• Router: A router is a device that connects different networks, like your home Wi-Fi to the internet, directing data and enhancing network security.
• Firmware: Firmware is specialized software stored in hardware devices, managing their core operations and security, and enabling them to function properly.
• Two: Two-factor authentication (2FA) is a security method requiring two different types of identification to access an account, making it harder to hack.