A group of Russian government hackers, known as Fancy Bear or APT 28, have breached thousands of home and small business routers globally. Using undisclosed vulnerabilities in unpatched MikroTik and TP-Link devices, the hackers can redirect internet traffic to steal passwords and access tokens.

The long-running hacking group is believed to be part of Russia’s intelligence agency GRU, with a history of high-profile hacks such as the Democratic National Committee breach in 2016 and the Viasat hack in 2022. Fancy Bear targeted at least 18,000 victims across 120 countries.

Security researchers warn that many routers run outdated software, leaving them vulnerable to remote attacks without their owners' knowledge. The NCSC describes these operations as 'likely opportunistic,' with hackers casting a wide net before narrowing in on intelligence targets.

Hackers modify router settings to redirect internet requests to spoof websites, allowing them to steal login credentials and tokens without needing two-factor authentication codes. Microsoft identified over 200 organizations and 5,000 consumer devices affected, including at least three African government entities.

The FBI disrupted the botnet by neutralizing compromised routers in the U.S., using court authorization to send commands that collected evidence and reset settings. The NCSC highlights the importance of keeping router software up-to-date to avoid such attacks.