State-sponsored Russian hacker groups have breached thousands of routers in small office and home office environments across U.S. states and updated malware, creating persistent botnets for long-term intelligence gathering. The FBI remotely rebooted thousands of routers compromised by the Russian group APT28, but further actions depend on the owners, as reported by Asatunews.
Two different units of Russian intelligence services are involved in the operations, targeting network infrastructure and end-user devices of organizations. The APT28 group, linked to military intelligence, used DNS system interception to capture traffic, while a group associated with the Federal Security Service (FSB), Turla, transformed its Kazuar backdoor into a modular system.
Experts noted a trend toward attacks on network infrastructure to gain passive visibility. Security agencies issued joint recommendations detailing the scale of these operations, as well as protocols for immediate remediation for device owners.
Daniel Dos Santos of Forescout stated that there is a serious trend of exploiting router vulnerabilities, affecting both consumer and enterprise devices. Microsoft Threat Intelligence analysts tracked the scale of the campaign launched by APT28, also known as Fancy Bear and Forest Blizzard. Researchers documented large-scale passive reconnaissance across thousands of compromised consumer devices. Microsoft’s report states that for state actors such as Forest Blizzard, DNS request interception provides persistent passive visibility and intelligence.
The United Kingdom’s National Cyber Security Centre identified specific TP-Link router models targeted by hackers, mostly outdated devices whose lifecycle has ended. A spokesperson for TP-Link Systems stated that although these products are outside the standard maintenance cycle, the company has developed security updates for some legacy models where technically possible.
