The UK’s cybersecurity agency has reported that Russian hackers are taking advantage of widely available internet routers to gather intelligence for espionage activities.
According to Alan Woodward, a professor at the University of Surrey, these breaches could enable cybercriminals to steal user credentials, redirect individuals to counterfeit websites, and potentially infiltrate other devices on a home network, including smartphones and computers.
On Tuesday, the National Cyber Security Centre (NCSC) indicated that these operations appear to be opportunistic, with attackers casting a wide net of potential victims and subsequently narrowing down to those deemed valuable for intelligence at various stages of their exploitation efforts.
This incident aligns with a typical trend where cyber actors target edge devices—hardware like internet routers or web-connected security cameras that serve as conduits between users and cloud services.
Woodward emphasized that this is not the first alert concerning routers, noting that these often-overlooked edge devices can present significant vulnerabilities. “If a router is compromised, attackers can redirect you to fraudulent sites. You might think you are accessing your bank, but in reality, you are being directed elsewhere,” he explained.
He further elaborated that once they breach a router, attackers can navigate through the network and assess whether connected devices, such as computers and phones, have any exploitable weaknesses.
The NCSC suspects that the group responsible for these attacks is likely APT28, also known as Fancy Bear, which is believed to have connections to Russian intelligence operations. This group was previously implicated in the 2015 cyber-attack on the German parliament, which resulted in the theft of substantial data, including sensitive emails and the schedules of German lawmakers.
Woodward remarked on the ambiguity surrounding these groups, stating, “While there are strong suspicions they operate on behalf of the Russian state, definitive proof is often elusive since nation-state attacks are frequently executed via criminal organizations.”
In response to these security concerns, the United States has recently prohibited the sale of all consumer-grade internet routers manufactured outside its borders, with the Federal Communications Commission citing “unacceptable risks to national security.” The agency noted that malicious entities have exploited vulnerabilities in foreign routers to target American households, disrupt networks, engage in espionage, and steal intellectual property.
Given that a majority of internet routers are produced in China or Taiwan, this ban could significantly impact several US hardware manufacturers. However, Elon Musk’s Starlink is an exception as it produces its devices in Texas.
Privacy advocates have pointed out that this outright ban may not fully resolve the vulnerabilities present in existing internet routers. A more pressing issue is that many routers currently in operation may be outdated and no longer receive necessary security updates.
Woodward advised that the NCSC’s alert signals the importance for small businesses and individuals to keep their routers updated. “Small businesses should monitor their networks for unusual activities. Many routers are often neglected,” he stated.
One notable historical cyber incident occurred in 2016 when hackers stole $80 million from the central bank of Bangladesh, largely due to the bank’s use of inexpensive, secondhand internet routers that were exposed to the internet. This breach allowed hackers to infiltrate the router, access the core network of the bank, and transfer funds to accounts in the Philippines. It is believed that a state-affiliated North Korean hacking group orchestrated this attack.
Woodward concluded, “This is a classic method of probing, and it is highly likely that similar incidents will occur in the future.”
