Russia-Linked Hackers Target Global Routers

a { color: #880000 !important; background: #ffeeee !important; } Latest News from NourishThe Nourish MissionGet answers to today's big questionsRussia-Linked Hackers Target Global Routerssecurity > cybersecurityResearchers identified a campaign where Russian-backed group APT28 hijacked 18,000 to 40,000 consumer routers across 120 countries. The group exploited unpatched devices to spy, intercept credentials, and redirect traffic, raising concerns about widespread vulnerabilities and national security risks.

What's happened

Researchers identified a campaign where Russian-backed group APT28 hijacked 18,000 to 40,000 consumer routers across 120 countries. The group exploited unpatched devices to spy, intercept credentials, and redirect traffic, raising concerns about widespread vulnerabilities and national security risks.

What's behind the headline?

The campaign highlights the persistent vulnerabilities in consumer routers, especially those that are outdated and unpatched. The use of routers as spying tools demonstrates a sophisticated understanding of network infrastructure, allowing attackers to intercept sensitive data and manipulate DNS lookups. The involvement of APT28, linked to Russian military intelligence, underscores the geopolitical dimension of these cyber operations. The rapid escalation after public disclosures indicates a highly adaptable threat actor that revises tactics to maintain access. This campaign will likely accelerate efforts to regulate and secure IoT devices, but the widespread use of end-of-life routers means many remain vulnerable. The US ban on foreign routers aims to reduce supply chain risks, but the core issue remains: outdated hardware still in use poses a significant threat to both individual and national security. Moving forward, the focus must be on replacing legacy devices and improving security standards across the industry to prevent similar breaches.

What the papers say

The Ars Technica article by Dan Goodin provides detailed technical insights into the hijacking campaign, emphasizing the exploitation of unpatched routers and the use of DNS manipulation for espionage. The Guardian highlights the potential risks to individual users, including credential theft and device compromise, and links the activity to Russian intelligence efforts, specifically APT28. Politico offers a geopolitical perspective, detailing the joint operation by Western agencies and the targeting of Ukrainian and other government networks, illustrating the broader strategic implications. The contrasting focus on technical details versus geopolitical context underscores the multifaceted nature of this cyber threat, with both articles emphasizing the importance of updating hardware and strengthening cybersecurity defenses.

How we got here

The campaign was linked to APT28, a group associated with Russia's military intelligence, known for long-standing cyber operations. The hackers exploited vulnerabilities in older router models, including those from MikroTik and TP-Link, to conduct espionage and data theft. The operation began in May 2025, with increased activity in August following a UK alert about malware targeting Microsoft credentials. The US and UK have since issued warnings and taken measures to mitigate risks, including banning foreign-made routers and urging users to check their device settings.

Go deeper

Common question

How Are Russian Hackers Targeting Global Networks?
Recent cyber campaigns have revealed that Russian-backed hackers are actively targeting networks worldwide, exploiting vulnerabilities in consumer routers to conduct espionage and data theft. This raises important questions about the security of our digital infrastructure and what steps can be taken to defend against such threats. Below, we explore how these hackers operate, the risks involved, and what individuals and organizations can do to stay protected.