The Security Service of Ukraine, together with the FBI, Poland’s counterintelligence agencies, and law enforcement authorities of the EU, conducted a coordinated cyber operation to neutralize enemy intelligence activities in Ukraine and partner countries.
As a result of the international cyber operation, numerous cases were uncovered in which Russian military intelligence (better known as the GRU) hacked office and home Wi-Fi routers of Ukrainian and foreign citizens (so-called SOHO equipment).
Investigation materials show that Russian intelligence operatives “hunted” for routers that did not meet modern security protocols.
After gaining access to vulnerable internet devices, the attackers redirected their traffic through a pre-established network of DNS servers (which convert Internet resource names into IP addresses that uniquely identify the destination server).
This allowed them to act as “intermediaries” online, collecting passwords, authentication tokens, and other sensitive information, including emails normally protected by SSL (secure sockets layer) and TLS (transport layer security) cryptographic protocols.
The obtained information was intended for use in cyberattacks, disinformation operations, and intelligence gathering.
Special attention from Russian intelligence focused on information exchanged by employees and military personnel of government agencies, units of the Ukrainian Armed Forces, and enterprises of the defense-industrial complex.
As a result of the joint cyber operation, over 100 servers were blocked and hundreds of routers were removed from enemy control in Ukraine alone, significantly weakening the intelligence capabilities of the Russian military and preventing software-level destruction of equipment.
Comprehensive measures are currently underway by the Security Service of Ukraine and its Western partners to hold all individuals involved in these cybercrimes accountable.
The SSU recommends that all router owners verify the model and current software version of their device, ensure security updates are installed, and implement them immediately.
If the manufacturer no longer provides support, it is strongly advised to replace the router with a newer model, possibly from another company. After updating, the access password should be changed, remote access to the router’s control panel should be disabled, settings checked, and any suspicious entries removed.
Telecom providers are asked to assist their clients in implementing these cybersecurity measures.
