Back

Russian Hackers Target Vulnerable Routers to Steal Credentials

Severity: High (Score: 78.0)

Sources: Techcrunch, Uk.Pcmag, Mirror, Theregister, Computerweekly

Summary

Russian hacking group APT28, also known as Fancy Bear, is actively exploiting vulnerabilities in consumer Wi-Fi routers, particularly targeting 23 TP-Link models that have reached end-of-life status. The UK’s National Cyber Security Centre (NCSC) and Microsoft report that over 200 organizations and 5,000 consumer devices have been compromised since at least August 2025. The hackers manipulate DNS settings to redirect internet traffic, allowing them to harvest passwords and access tokens from unsuspecting users. This campaign has affected routers worldwide, with at least 18,000 victims identified across 120 countries. The NCSC emphasizes that these operations are opportunistic, casting a wide net before focusing on high-value targets. Microsoft has identified specific vulnerabilities, including CVE-2023-50224, which was disclosed in May 2024. Authorities recommend users update their devices and replace outdated hardware to mitigate risks. The ongoing threat highlights the need for improved cybersecurity measures among consumers and organizations alike. Key Points: • APT28 is exploiting vulnerabilities in TP-Link routers to steal sensitive information. • Over 200 organizations and 5,000 consumer devices have been affected since August 2025. • Users are urged to update their devices and replace outdated hardware to enhance security.

Key Entities

  • Apt28 (apt_group)
  • APT 28 (apt_group)
  • Fancy Bear (apt_group)
  • Forest Blizzard (apt_group)
  • GRU (apt_group)
  • DDoS (attack_type)
  • Malware (attack_type)
  • Man-in-the-Middle (attack_type)
  • Phishing (attack_type)
  • Democratic National Committee (company)
  • German Parliament (company)
  • World Anti-Doping Agency (company)
  • Apple (company)
  • Cisco (company)
  • France (country)
  • Germany (country)
  • Russia (country)
  • Ukraine (country)
  • CVE-2023-50224 (cve)
  • Government (industry)
  • Jaguar Tooth (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • MicroTik (platform)
  • MikroTik (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed