Router Warning: 3 agencies say Russian hackers targeted routers for espionage

In a development that shifts attention from headline-grabbing malware to overlooked hardware, router security has become the latest frontline in a widening espionage campaign. Security agencies in the United States and Europe say a Russian hacking group used vulnerable Wi-Fi routers to steal passwords, authentication tokens and emails, then redirected traffic toward targets of intelligence value. The operation, exposed in a joint statement late Tuesday, shows how a device often treated as routine infrastructure can become a quiet access point into military, government and critical systems.

How the router campaign worked

Officials identified the hacking group as Fancy Bear, also known as APT28 and Forest Blizzard, and tied it to the Russian military intelligence service GRU. The agencies said the campaign has exploited router weaknesses since at least 2024, including popular TP-Link devices. By circumventing security protocols and encryption technology, the attackers were able to collect sensitive material from mobile devices and laptops connected to those networks.

Ukraine’s security service, the SBU, said the stolen material included passwords, authentication tokens and other sensitive information, including emails. The same statement said the Russian special services paid special attention to information exchanged between employees and servicemen of state bodies, units of the Ukrainian Defense Forces and enterprises of the defense-industrial complex. That framing matters because it suggests the campaign was not random theft, but a selective effort to identify information with operational value.

Why the timing matters now

The agencies that disclosed the operation included intelligence and law enforcement services in the U. S., Canada, Ukraine, Germany, Italy, Poland and others. Their coordinated warning suggests the activity had reached a scale that crossed borders and sectors. Officials believe the stolen data was used for cyberattacks, information sabotage and intelligence gathering, with military, government and critical infrastructure targets in focus.

One law enforcement official involved in the joint operation said the hackers tried to cover vulnerable routers while redirecting requests only to domains they were interested in, including state and defense-related addresses. That detail points to a method built for persistence: rather than smashing through a network in obvious ways, the attackers appear to have used the router as a filtering layer, watching for traffic worth collecting.

The scale of the activity also raises the stakes. In the public record, these campaigns are not isolated intrusions but part of an adaptive pattern in which edge devices become stepping stones. That makes router defense more than a household maintenance issue; it becomes a question of whether governments and companies are still protecting the first layer of digital access.

Expert views on the router threat

Alan Woodward, professor at the University of Surrey, said the danger is that attackers can use a compromised router to send users to fake sites and then move deeper into a network. He said edge devices are often forgotten and can become a weak point. That assessment aligns with the agencies’ warning that once a router is compromised, the attacker can interfere with traffic before the user realizes anything is wrong.

Woodward also warned that if attackers successfully attacked a router, they could establish themselves on a network, move around it, and look for vulnerabilities in connected devices such as phones and PCs. His comments underline the broader risk: a router breach is not just a single-device problem, but a possible entry point into an entire home or workplace network.

Global reach and the wider security risk

The disclosure connects two separate but reinforcing findings. On one side, the joint government warning shows a broad campaign against ill-protected Wi-Fi routers. On the other, research from Lumen Technologies’ Black Lotus Labs describes a router-based technique in which modified DNS settings can hijack local traffic and feed targeted logins into attacker infrastructure. That research tied a campaign named FrostArmada to Forest Blizzard and said it targeted government agencies, including ministries of foreign affairs, law enforcement and third-party email providers.

Together, the findings suggest that router abuse is not a narrow tactic. It is a scalable method that can support espionage, credential theft and traffic redirection across borders. Even where the immediate targets are state institutions, the infrastructure used to reach them can sit in homes and offices far from the intended victim. That is what makes the issue strategically important: the compromise of a router can quietly blur the line between individual connectivity and national security.

The warning now is not only about a single actor or a single campaign. It is about how easily a router can become a hidden tool for surveillance when it is left exposed, outdated or poorly monitored. If that device remains one of the least noticed parts of the network, how many more operations can run through it before defenders treat it as critical infrastructure?