Russian government hackers of the Fancy Bear group (APT 28), associated with the Russian GRU intelligence agency, captured thousands of home and small businesses worldwide for stealing codes and tokens. According to Tuesday's warning from the UK NCSC and Black Lotus Labs, they took advantage of uninformed routers MicroTik and TP-Link, redirecting traffic to fake websites. The attack affected at least 18,000 victims in 120 countries, including government agencies. Microsoft located over 200 organizations and 5,000 consumer devices affected, while the FBI confiscated campaign domains.
Analyticalally:
Russian government hackers have captured thousands of routers in homes and small businesses worldwide, aiming to redirect the victims' online movement to intercept passwords and access tokens.
The warning was given Tuesday by security investigators and government authorities.
Activity is attributed to the long-term Russian hacking team Fancy Bear, also known as APT 28. The group has been associated with high-profile espionage operations and attacks, including the violation of the National Committee of the Democratic Party of the USA in 2016 and the devastating attack that hit satellite provider Viasat in 2022. Fancy Bear is widely considered to be part of the Russian GRU Information Service.
At the centre of the current campaign were found uninformed routers of MicroTik and TP-Link. The UK's NSC cybersecurity unit and Black Lotus Labs, Lumen's research arm, reported that the perpetrators already exploited known vulnerability to gain access to the devices.
Researchers appreciated that, through the routers breach, hackers were able to monitor a large number of people for years. Many of the devices were allegedly performing obsolete software, which left them exposed to remote attacks without their owners knowing.
The NSC reported that these operations are likely to be opportunistic, with the perpetrator in «throw a wide net» to approach many potential targets and then focus on information objectives as the attack develops.
According to government instructions and researchers, hackers modified routers' settings so that victims' requests online would secretly pass through infrastructure they control themselves. In this way they could redirect users to counterfeit websites under their control and extract codes and tokens. The stolen tokens allowed them to be connected to victim online accounts without requiring the verification codes of two factors.
Black Lotus Labs reported that Fancy Bear violated at least 18,000 victims in about 120 countries, including government agencies, law enforcement agencies and email providers in areas of North Africa, Central America and Southeast Asia.
Microsoft, which also gave details to the public on Tuesday, reported to post on her blog that its researchers identified over 200 organizations and 5,000 consumer appliances affected, including at least three government organizations in Africa.
At the same time, the FBI is expected to announce the seizure of several domains used in the campaign. Lumen said she was involved in a coalition, along with the FBI, that discontinued the botnet operation and put it out of service. An FBI spokesman did not respond to requests for comment prior to publication.
-
6
