UK exposes Russian cyber unit hacking home routers to hijack internet traffic

International intelligence agencies sound the alarm on a persistent threat to network hardware

In a coordinated effort, cybersecurity agencies from the United Kingdom, United States, and other allied nations have exposed an ongoing campaign by a notorious Russian military intelligence unit targeting the unsung heroes of our internet connections: the humble home and small office router. A joint advisory released on February 20, 2024, details how the Russian GRU's Main Centre for Special Technologies (GTsST), Unit 26165—better known by cybersecurity researchers as APT28 or Fancy Bear—is systematically compromising these devices to conduct espionage and build a global network for future operations.

The warning, issued by the UK’s National Cyber Security Centre (NCSC), the U.S. National Security Agency (NSA), FBI, and CISA, along with partners in Australia, Canada, New Zealand, and the Netherlands, underscores a strategic focus by state-sponsored actors on a frequently overlooked attack surface. These Small Office/Home Office (SOHO) devices are ubiquitous, often unmanaged, and represent a critical gateway to both personal and corporate networks.

Background: A persistent threat actor targets the network edge

APT28 is no stranger to the international stage. This is the same GRU-affiliated group linked to the 2016 hack of the Democratic National Committee, attacks on the World Anti-Doping Agency, and numerous cyber-espionage campaigns against governments, military organizations, and critical infrastructure across the globe. Their tactics are sophisticated, persistent, and aligned with Russia's strategic intelligence objectives.

This latest campaign is a direct evolution of past operations. It echoes the 2018 VPNFilter malware campaign, which the FBI also attributed to the GRU. VPNFilter infected hundreds of thousands of SOHO routers and network-attached storage (NAS) devices worldwide, creating a massive botnet capable of intelligence collection and destructive attacks. According to the joint advisory, the current activity demonstrates that APT28 has adapted its tactics, continuing its long-standing strategic interest in compromising network edge devices.

"Russian state-sponsored actors are adapting their tactics to find and exploit SOHO devices," noted NSA Cybersecurity Director Rob Joyce in a statement accompanying the release. The advisory serves as a stark reminder that even devices in homes and small businesses are valuable targets for powerful nation-state adversaries.

Technical details: How the attacks work

APT28’s methodology is not based on exotic zero-day exploits but rather on the systematic exploitation of common security weaknesses inherent in many SOHO devices. The actors are essentially preying on a lack of basic security hygiene.

The primary attack vectors identified in the advisory include:

• Exploiting Known Vulnerabilities: The group actively scans the internet for routers from manufacturers like Cisco, DrayTek, Fortinet, NETGEAR, and Zyxel that are running outdated firmware. They leverage publicly known Common Vulnerabilities and Exposures (CVEs) for which patches have long been available. The advisory specifically mentions vulnerabilities such as CVE-2023-27992, a critical flaw in Fortinet's SSL-VPN devices, as being part of their toolkit.
• Default and Weak Credentials: A significant number of routers are deployed with factory-default administrative credentials (e.g., "admin"/"password") or are protected by easily guessable passwords. APT28 uses automated brute-force and dictionary attacks to gain access to these poorly secured devices.

Once a device is compromised, the GRU operators move to establish persistent access. They may modify the device's firmware, install custom scripts, or reconfigure services to ensure they can maintain control even after a reboot. From this foothold, they can launch a variety of post-exploitation activities:

• Reconnaissance: The compromised router is used to map the internal network, identify connected devices like computers and servers, and gather intelligence on network topology.
• Man-in-the-Middle (MITM) Attacks: By controlling the router, APT28 can potentially intercept, inspect, or redirect all internet traffic passing through it. This allows them to steal credentials, capture sensitive communications, and inject malicious content into legitimate web traffic. The ability to control traffic flow is a powerful tool for espionage.
• Proxy and C2 Infrastructure: Compromised SOHO devices are absorbed into a global network that APT28 uses to launch further attacks. By routing their malicious traffic through thousands of residential and small business routers, the GRU can effectively anonymize their operations, making attribution significantly more difficult.

Impact assessment: A widespread and insidious threat

The impact of this campaign is broad and multi-layered. Because SOHO routers are used by such a diverse range of entities, the potential victims are numerous.

• Small Businesses: These organizations are prime targets as they often lack dedicated IT security staff and resources, yet may handle sensitive customer or financial data. A compromised router can lead to a complete network breach.
• Remote Workers: The rise of remote work has blurred the lines between home and corporate networks. A compromised home router used by an employee can serve as a pivot point for sophisticated actors like APT28 to gain access to a well-defended corporate environment.
• Home Users: Individuals are at risk of having their personal data, browsing habits, and online credentials stolen. Compromised routers could also be used to monitor other smart devices on the home network, leading to severe privacy violations.

Beyond the immediate victims, the use of these devices as a distributed attack platform poses a threat to national security and the stability of the internet itself. This botnet of routers can be wielded for large-scale denial-of-service attacks, disinformation campaigns, or widespread espionage targeting critical sectors.

How to protect yourself

The good news is that the methods used by APT28 in this campaign can be countered with fundamental security practices. Securing your SOHO router is one of the most effective steps you can take to protect your entire network. The international agencies recommend the following actions:

1. Update Your Firmware Immediately: This is the most critical step. Manufacturers regularly release firmware updates to patch security vulnerabilities. Log in to your router’s administrative console and check for the latest version, or visit the manufacturer’s support website for instructions. Enable automatic updates if the feature is available.
2. Change Default Credentials: If you are still using the default username and password that came with your router, change them now. Your administrative password should be long, complex, and unique.
3. Disable Remote Management: Your router’s administrative interface should never be accessible from the internet (the WAN). This feature is often enabled by default. Log in to your router’s settings and ensure that remote or WAN-side management is turned off.
4. Turn Off Universal Plug and Play (UPnP): UPnP is a feature designed for convenience, allowing devices to automatically open ports on your router. However, it is notoriously insecure and has been exploited in many attacks. Disable it unless you have a specific, critical need for it.
5. Use Strong Wi-Fi encryption: Ensure your Wi-Fi network is protected with WPA3 encryption if your devices support it, or at least WPA2. Use a strong, unique password for your Wi-Fi network itself.
6. Review Connected Devices: Periodically check the list of devices connected to your network through your router's admin panel. Investigate any devices you don’t recognize.

As Paul Chichester, the NCSC's Director of Operations, stated, this campaign highlights the GRU's "ruthless and persistent targeting." While a sophisticated nation-state actor may seem like a distant threat, this advisory makes it clear that their operations directly impact the security of our homes and small businesses. Taking the time to secure the gateway to your digital life is no longer just a recommendation—it is a necessity.