Russian hackers accused of hijacking thousands of routers in global cyber espionage campaign
By Tanveer Ahmed :
Western intelligence agencies have warned that a Russian-linked hacking group hijacked more than 18,000 internet routers across 120 countries in a cyber espionage campaign designed to steal passwords, authentication tokens and emails.
Authorities in the United States, the United Kingdom, Germany and several other countries said the operation targeted home and small office routers, particularly devices made by TP-Link and MikroTik. The FBI said it has disrupted the campaign, known as Operation Masquerade, after discovering that the compromised devices were being used to secretly intercept internet traffic.
The hacking group responsible, widely known as Fancy Bear, APT28 or Forest Blizzard, is believed to be connected to Russia’s GRU military intelligence agency, specifically Unit 26165. According to Britain’s National Cyber Security Centre (NCSC), the group has been exploiting vulnerabilities in routers since at least 2024 to manipulate internet settings and reroute users’ traffic through servers controlled by the attackers.
Investigators say the hackers exploited known security flaws in several router models, including the widely used TP-Link WR841N device. The vulnerability allowed attackers to gain access without authentication and extract login credentials through specially crafted requests.
Once inside the router, the attackers altered the device’s DNS settings — the system that directs internet traffic — forcing all connected devices such as laptops, phones and tablets to use malicious servers. This allowed hackers to redirect users to convincing fake login pages for popular services like email platforms. Victims who entered their credentials unknowingly handed them directly to the attackers.
Cybersecurity researcher Lukasz Olejnik described the approach as both simple and highly effective because compromising the router allowed attackers to monitor all traffic from connected devices without installing malware on each individual machine.
Microsoft said more than 200 organisations and around 5,000 consumer devices were affected, including at least three government entities in Africa. Researchers at Black Lotus Labs, a cybersecurity unit of internet infrastructure company Lumen, reported that the campaign reached its peak in December 2025 when more than 18,000 routers worldwide had been compromised.
Targets included government departments, law enforcement agencies and email providers across regions such as North Africa, Central America and Southeast Asia. Germany’s domestic intelligence service confirmed that about 30 vulnerable devices in the country had been compromised, with some requiring complete replacement.
The NCSC said at least 23 TP-Link router models were targeted, although officials believe the number could be higher. Many of the affected devices were outdated models that no longer received security updates, making them particularly vulnerable to attack.
In response, the FBI launched Operation Masquerade to disrupt the network. Investigators remotely sent commands to infected routers located in the United States to gather forensic evidence and reset the manipulated DNS settings. The US Department of Justice confirmed that the operation successfully neutralised compromised routers on American soil under court authorisation.
The cyber campaign has also intensified concerns in Washington about the security of foreign-made networking equipment. In March, the US Federal Communications Commission announced plans to stop certifying certain consumer-grade routers produced outside the United States, citing national security risks. TP-Link, which manufactures many devices in China, was among the companies facing scrutiny.
Security agencies have urged router owners to update their device firmware immediately, change default usernames and passwords, disable remote management features and replace any routers that are no longer supported with security updates. Experts also advised users to pay close attention to browser security warnings, as the attack often relied on victims ignoring alerts when visiting fake login pages.
About Author
