U.S. authorities have raised alarm over Russian cyber operatives exploiting weak routers worldwide to steal sensitive government and military data, warning that the campaign poses a growing global cybersecurity threat.
The Federal Bureau of Investigation (FBI) said Russian military-linked cyber actors are actively targeting vulnerable routers to intercept sensitive information belonging to governments, military agencies, and critical infrastructure operators.
In a public service announcement posted on its website (alert number: I-040726-PSA) dated April 7, 2026, the FBI said it, alongside the U.S. Department of Justice, recently disrupted a cyber network operated by Russia’s Main Intelligence Directorate (GRU) involving compromised small-office and home-office (SOHO) routers used for malicious DNS hijacking operations.
The bureau said the operation was carried out with the U.S. National Security Agency (NSA) and international partners including Canada, Germany, Italy, Poland, Ukraine, and others, to warn the public and strengthen global cyber defenses.
According to the FBI, the GRU’s 85th Main Special Service Center, also known as APT28, Fancy Bear, or Forest Blizzard, has been exploiting weak routers since at least 2024, including TP-Link devices affected by vulnerability CVE-2023-50224, to harvest credentials and manipulate network traffic.
The agency explained that attackers modify routers’ DHCP and DNS settings to route internet traffic through actor-controlled servers, allowing connected devices such as phones and laptops to unknowingly pass data through compromised infrastructure.
It added that this enables adversary-in-the-middle (AitM) attacks, allowing hackers to intercept communications and capture sensitive information, including passwords, emails, and authentication tokens.
The FBI warned that the GRU has been harvesting large volumes of data from global victims, later narrowing its focus to military, government, and critical infrastructure targets.
It noted that international cybersecurity agencies, including the UK’s National Cyber Security Centre (NCSC), have issued parallel advisories urging stronger defensive measures.
Users of SOHO routers were advised to update firmware, replace outdated devices, change default credentials, disable remote access features, and carefully respond to security certificate warnings.
Organisations were also urged to strengthen remote work policies through VPN use, hardened applications, and stricter access controls for sensitive systems.
The FBI further encouraged companies to help employees upgrade outdated personal devices used for remote access, warning that such systems increase exposure to cyber threats.
It urged the public to report suspected cyber intrusions to their nearest FBI field office or via the Internet Crime Complaint Center (IC3).
