GCHQ has warned that Russian state-linked hackers are turning wifi routers into spying devices.
The National Cyber Security Centre (NCSC), which is part of the intelligence agency, said it had uncovered an espionage campaign by Fancy Bear, a hacking group believed to be a unit of Russian military intelligence, the GRU, according by The Times.
The hackers are exploiting well-known vulnerabilities in home and office routers to steal sensitive data such as passwords and authorisation tokens.
They remotely access the device and are able to redirect internet traffic to fake websites and email services such as Microsoft Outlook that harvest sensitive data. Phones and laptops on the network are also made more vulnerable to hacks.
The NCSC said it believes the spying has been carried out since 2024. Paul Chichester, the agency’s director of operations, said: “This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors.
Putin accused of surrounding himself with same 'actors' at series of events
“We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.
“The NCSC will continue to expose Russian malicious cyberactivity and provide practical guidance to help protect UK networks.”
The agency advised people to upgrade from older devices and update the software on routers.
The hackers appear to have been targeting popular TP-Link and MikroTik routers.
Last month the US banned the import, sale and marketing of foreign-made internet routers because of national security concerns.
“Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage and facilitate intellectual property theft,” the Federal Communications Commission said.
TP-Link was founded in China but has now split the company into Chinese and US arms. It is facing investigations from the US Department of Commerce, Department of Justice, Federal Trade Commission and the Texas attorney-general over its links to China.
The NCSC believes that Fancy Bear, also known as APT28 and Forest Blizzard, is casting a wide net to reach as many potential victims as possible before narrowing in on those with “potential intelligence value”.
Microsoft’s Threat Intelligence team said it had identified more than 200 organisations and 5,000 consumer devices affected by the hacking. Its researchers said the operation “represents a significant escalation in how nation-state actors weaponise unmanaged edge devices and could enable larger-scale active interception in the future”.
Lumen Technologies’ Black Lotus Labs said it had identified thousands of potential victims from at least 120 countries communicating with the hackers’ infrastructure. “These operations primarily targeted government agencies — including ministries of foreign affairs, law enforcement and third-party email providers,” the researchers said in a report obtained by Bloomberg News.
Fancy Bear has been accused of hacking into the Democratic National Committee during the 2016 US presidential election, stealing data from the German parliament in 2015 and leaking medical records from the World Anti Doping Agency after a ban on Russian athletes.
Russians wrote 'Happy New Year' on drone sent crashing into playground
It also attempted to compromise the Organisation for the Prohibition of Chemical Weapons (OPCW) in the UK to disrupt the independent analysis of chemicals that had been used by the GRU.
Alan Woodward, professor of cybersecurity at Surrey University, said the hackers’ tactic was “an oldie but goodie” as devices such as routers are “often forgotten about and so not updated”.
He added: “Although this Russian group is highlighted in this particular campaign, it’s almost inevitable other routers will have vulnerabilities yet to be identified.”
Deputy Editor & UK News
Read more similar news:
Comments:
comments powered by Disqus
