Russian government hackers of the Fancy Bear group (APT 28), associated with the Russian GRU intelligence agency, captured thousands of home and small businesses worldwide for stealing codes and tokens. According to Tuesday's warning from the UK NCSC and Black Lotus Labs, they took advantage of uninformed routers MicroTik and TP-Link, redirecting traffic to fake websites. The attack affected at least 18,000 victims in 120 countries, including government agencies. Microsoft located over 200 organizations and 5,000 consumer devices affected, while the FBI confiscated campaign domains.
Analyticalally:
Russian government hackers have captured thousands of routers in homes and small businesses worldwide, aiming to redirect the victims' online movement to intercept passwords and access tokens.
The warning was given Tuesday by security investigators and government authorities.
Activity is attributed to the long-term Russian hacking team Fancy Bear, also known as APT 28. The group has been associated with high-profile espionage operations and attacks, including the violation of the National Committee of the Democratic Party of the USA in 2016 and the devastating attack that hit satellite provider Viasat in 2022. Fancy Bear is widely considered to be part of the Russian GRU Information Service.
At the centre of the current campaign were found uninformed routers of MicroTik and TP-Link. The UK's NSC cybersecurity unit and Black Lotus Labs, Lumen's research arm, reported that the perpetrators already exploited known vulnerability to gain access to the devices.
Researchers appreciated that, through the routers breach, hackers were able to monitor a large number of people for years. Many of the devices were allegedly performing obsolete software, which left them exposed to remote attacks without their owners knowing.
The NSC reported that these operations are likely to be opportunistic, with the perpetrator in «throw a wide net» to approach many potential targets and then focus on information objectives as the attack develops.
According to government instructions and researchers, hackers modified routers' settings so that victims' requests online would secretly pass through infrastructure they control themselves. In this way they could redirect users to counterfeit websites under their control and extract codes and tokens. The stolen tokens allowed them to be connected to victim online accounts without requiring the verification codes of two factors.
Το Black Lotus Labs ανέφερε ότι η Fancy Bear παραβίασε τουλάχιστον 18.000 θύματα σε περίπου 120 χώρες, συμπεριλαμβανομένων κυβερνητικών υπηρεσιών, υπηρεσιών επιβολής του νόμου και παρόχων email σε περιοχές της Βόρειας Αφρικής, της Κεντρικής Αμερικής και της νοτιοανατολικής Ασίας.
Η Microsoft, η οποία έδωσε επίσης στη δημοσιότητα λεπτομέρειες την Τρίτη, ανέφερε σε ανάρτηση στο blog της ότι οι ερευνητές της εντόπισαν πάνω από 200 οργανισμούς και 5.000 καταναλωτικές συσκευές που επηρεάστηκαν, συμπεριλαμβανομένων τουλάχιστον τριών κυβερνητικών οργανισμών στην Αφρική.
Παράλληλα, το FBI αναμένεται να ανακοινώσει την κατάσχεση αρκετών domains που χρησιμοποιήθηκαν στην καμπάνια. Η Lumen δήλωσε ότι συμμετείχε σε συνασπισμό, μαζί με το FBI, που διέκοψε τη λειτουργία του botnet και το έθεσε εκτός λειτουργίας. Εκπρόσωπος του FBI δεν απάντησε σε αιτήματα σχολιασμού πριν από τη δημοσίευση.
-
6
