Thousands Of Home Routers Hijacked In Campaign Tied To Russian Intelligence, Officials Say

A campaign by a Russia-linked hacking group has commandeered thousands of home and small-business routers worldwide to siphon login credentials and session tokens, U.K. and U.S. cybersecurity teams said Tuesday, and U.S. authorities moved to disrupt the attackers’ infrastructure. Justice Department officials authorized actions in the United States to reset affected devices and collect evidence after investigators traced malicious traffic to servers run by the group.

Security firms and government cyber units identified the attacker as the well-known APT often linked to Russia’s military intelligence. The operators exploited known flaws in routers made by MikroTik and TP-Link, researchers said, targeting devices that hadn’t received recent updates so they could change network settings and divert web requests. That redirected traffic allowed the intruders to present counterfeit login pages and capture both passwords and authentication tokens, in some cases enabling account access without two-factor authentication codes.

Researchers at Lumen’s Black Lotus Labs reported a broad infection footprint: roughly 18,000 compromised routers across about 120 countries, hitting clinics, local police units, government offices and email providers across North Africa, Central America and Southeast Asia. Microsoft’s analysis found more than 200 affected organizations and about 5,000 consumer devices, including at least three government entities in Africa. Britain’s National Cyber Security Centre characterized the operation as wide-ranging and opportunistic, then focused on higher-value targets as access matured.

Law enforcement and industry partners say they dismantled elements of the botnet that routed victims’ traffic. Lumen said it joined the FBI and other partners in a coordinated disruption that took many attacker domains offline. The Justice Department said it used a court order to send commands to U.S.-located routers to gather forensic data, restore safer settings and block the attackers’ paths back in.

“This type of campaign shows how attractive consumer networking gear has become to state actors,” said an independent cybersecurity analyst. “When routers aren’t patched, they serve as invisible footholds that can quietly harvest credentials for months.” Security experts urged users to install firmware updates, replace unsupported hardware and change default passwords; small businesses should also isolate critical systems from general Wi-Fi where possible.

The intrusion echoes prior major incidents attributed to the same group, which has been implicated in hacks that disrupted political organizations and commercial infrastructure in recent years. The latest activity underscores the growing priority intelligence services place on long-term access to everyday devices, and the difficulty of protecting widely distributed consumer equipment from sophisticated, patient attackers.