Russian GRU-Linked Hackers Exploit Routers in Global Credential Theft Campaign
The U.K.’s National Cyber Security Centre (NCSC) has issued a warning about a sophisticated cyber espionage campaign conducted by APT28, a hacking group tied to Russia’s GRU military intelligence agency. The attackers are compromising widely used internet routers primarily from manufacturers MikroTik and TP-Link to intercept and redirect traffic through malicious servers under their control.
By altering router settings, the hackers gain the ability to steal passwords, manipulate data, and expand access to targeted networks. The NCSC’s alert highlights the risks of credential theft and broader system compromise, though neither MikroTik nor TP-Link has publicly responded to the findings.
Paul Chichester, the NCSC’s Director of Operations, emphasized that the campaign exploits vulnerabilities in common networking hardware, underscoring the threat posed by state-backed actors targeting critical infrastructure.
Parallel research from Lumen Technologies’ Black Lotus Labs revealed the campaign’s global scale, identifying thousands of potential victims across at least 120 countries. Primary targets included government agencies such as foreign ministries and law enforcement as well as third-party email providers.
The incident reflects growing international concern over router security. In a related move, the U.S. Federal Communications Commission (FCC) recently banned the sale of certain foreign-made consumer routers, citing supply-chain vulnerabilities that could enable large-scale disruptions to critical infrastructure.
The NCSC and Lumen’s findings provide technical guidance for mitigating such attacks, though the full scope of the campaign’s impact remains under investigation.
Source: https://www.claimsjournal.com/news/national/2026/04/07/336738.htm
MikroTik cybersecurity rating report: https://www.rankiteo.com/company/mikrotik
Government of Russia cybersecurity rating report: https://www.rankiteo.com/company/government-of-russia
TP-Link cybersecurity rating report: https://www.rankiteo.com/company/tp-link-corporation
"id": "MIKGOVTP-1775579498",
"linkid": "mikrotik, government-of-russia, tp-link-corporation",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Global (120+ countries)',
'name': 'Government agencies (foreign ministries, law '
'enforcement)',
'type': 'Government'},
{'industry': 'Technology/Communications',
'location': 'Global (120+ countries)',
'name': 'Third-party email providers',
'type': 'Service Provider'}],
'attack_vector': 'Compromised routers (MikroTik, TP-Link)',
'data_breach': {'personally_identifiable_information': 'Likely (credentials)',
'sensitivity_of_data': 'High (government and email provider '
'data)',
'type_of_data_compromised': 'Credentials, network traffic '
'data'},
'description': 'The U.K.’s National Cyber Security Centre (NCSC) has issued a '
'warning about a sophisticated cyber espionage campaign '
'conducted by APT28, a hacking group tied to Russia’s GRU '
'military intelligence agency. The attackers are compromising '
'widely used internet routers primarily from manufacturers '
'MikroTik and TP-Link to intercept and redirect traffic '
'through malicious servers under their control. By altering '
'router settings, the hackers gain the ability to steal '
'passwords, manipulate data, and expand access to targeted '
'networks. The campaign exploits vulnerabilities in common '
'networking hardware, targeting critical infrastructure, '
'government agencies, and third-party email providers '
'globally.',
'impact': {'data_compromised': 'Credentials, network access',
'identity_theft_risk': 'High',
'operational_impact': 'Network traffic interception and '
'redirection',
'systems_affected': 'Routers (MikroTik, TP-Link), targeted '
'networks'},
'initial_access_broker': {'entry_point': 'Compromised routers',
'high_value_targets': 'Government agencies, email '
'providers'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Router security vulnerabilities pose significant risks to '
'critical infrastructure and government networks. '
'State-backed actors exploit supply-chain weaknesses for '
'large-scale espionage.',
'motivation': 'Cyber espionage, credential theft, data manipulation',
'post_incident_analysis': {'corrective_actions': 'Enhanced router security '
'measures, network '
'monitoring, and regulatory '
'actions (e.g., FCC bans on '
'certain routers)',
'root_causes': 'Exploitation of router '
'vulnerabilities, lack of '
'supply-chain security'},
'recommendations': 'Enhance router security, implement network segmentation, '
'monitor for unauthorized traffic redirection, and follow '
'NCSC/Lumen technical guidance.',
'references': [{'source': 'NCSC Advisory'},
{'source': 'Lumen Technologies’ Black Lotus Labs'},
{'source': 'U.S. Federal Communications Commission (FCC)'}],
'regulatory_compliance': {'regulatory_notifications': 'NCSC advisory'},
'response': {'communication_strategy': 'Public advisory by NCSC',
'third_party_assistance': 'Lumen Technologies’ Black Lotus Labs'},
'stakeholder_advisories': 'NCSC and Lumen Technologies have issued technical '
'guidance for mitigation.',
'threat_actor': 'APT28 (GRU-linked)',
'title': 'Russian GRU-Linked Hackers Exploit Routers in Global Credential '
'Theft Campaign',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'Router vulnerabilities'}