Russian state hackers target home and Soho routers

UK and industry researchers warned on April 7 that the Russian state-linked group Fancy Bear, also tracked as APT28 and Forest Blizzard, has been hijacking vulnerable home and small-office routers in a long-running espionage campaign. The activity centered on older, unpatched MikroTik and TP-Link devices, especially end-of-life models, and let the attackers change router settings so victims’ web traffic flowed through infrastructure the group controlled. According to the UK’s National Cyber Security Centre, Microsoft, and Black Lotus Labs, the operation cast a wide net to reach many potential victims before narrowing in on targets of intelligence interest. Researchers said the technique helped steal passwords and authentication tokens, including Microsoft Office tokens, without planting malware on victims’ computers, highlighting both the risks of aging network gear and the value of timely security updates. The encouraging part is that defenders have now exposed the campaign and laid out practical steps users can take, including replacing unsupported routers, installing the latest firmware, and reviewing DNS settings. Those steps can sharply limit the attackers’ room to operate.