Russian hackers hacked thousands of home devices to steal passwords

A Russian hacker group has hacked into thousands of homes and small businesses around the world as part of an ongoing campaign aimed at tricking cyber victims into stealing their passwords and tokens, security researchers and government officials warned Tuesday.

It’s the latest move by the former Russian hacking group known as Fancy Bear, or APT 28, known for its sophisticated hacks and espionage operations, including hacking. Democratic National Committee in 2016 and The devastating hack that hit satellite provider Viasat in 2022. Fancy Bear is widely believed to be part of the Russian intelligence agency GRU.

The hacking team targets unpatched routers made by MikroTik and TP-Link using previously disclosed vulnerabilities according to The UK government’s cybersecurity unit NCSC is Lumen’s research arm Black Lotus Labswhich released an update on the campaign on Tuesday.

According to the researchers, the hackers were able to spy on many people over the years by jailbreaking their routers, many of which ran old software, making them vulnerable to remote attacks without the owners’ knowledge.

The NCSC said this is “likely opportunistic in nature, with the actor casting a net to reach as many victims as possible, before reducing the intelligence requirements as the attack develops.”

According to investigators and a government advisory, Russian hackers hacked into routers to modify the device’s settings so that the victim’s Internet requests were secretly routed to resources controlled by the hackers. This allows hackers to send victims to hacked websites, then steal passwords and tokens that allow hackers to log into the victim’s online accounts without needing their two-factor authentication codes.

Black Lotus Labs said Fancy Bear compromised at least 18,000 people in about 120 countries, including government departments, law enforcement agencies, and email providers in North Africa, Central America, and Southeast Asia.

Microsoft, which also released details of the campaign on Tuesday, said in a blog post that its researchers have identified more than 200 organizations and 5,000 consumer devices affected by this, including at least three government agencies in Africa.

The FBI is expected to announce the removal of several domains used by hackers. Lumen said it was part of a coalition, including the FBI, that disrupted the botnet and took it off the Internet.

An FBI spokesman did not respond to a request for comment before publication.

Tuesday afternoon, The US Department of Justice announced that it interfered with routers located on US soil, due to court authorization. The DOJ said that the FBI “created a series of commands to send to the compromised routers,” to gather evidence, restore updates, and prevent hackers from coming back.

It has been updated to include information from the DOJ announcement.