Skip to main content
News Directory 3
  • Business
  • Entertainment
  • Health
  • News
  • Sports
  • Tech
  • World
Menu
  • Business
  • Entertainment
  • Health
  • News
  • Sports
  • Tech
  • World
Russia's Fancy Bear Used Unsecured Routers to Steal Government Data - News Directory 3

Russia’s Fancy Bear Used Unsecured Routers to Steal Government Data

April 8, 2026 Robert Mitchell News
News Context
At a glance
  • Russian military intelligence agents from the General Staff Main Intelligence Directorate (GRU) have hijacked thousands of residential and small-office home-office (SOHO) routers globally to steal sensitive information.
  • According to reports released on April 7, 2026, the hackers exploited unpatched routers manufactured by TP-Link and MikroTik.
  • Lumen's Black Lotus Labs has codenamed the exploitation campaign FrostArmada.
Original source: euronews.com

Russian military intelligence agents from the General Staff Main Intelligence Directorate (GRU) have hijacked thousands of residential and small-office home-office (SOHO) routers globally to steal sensitive information. The operation, attributed to the cyber espionage group known as Fancy Bear or APT28, targeted individuals within government, military, and critical infrastructure sectors.

According to reports released on April 7, 2026, the hackers exploited unpatched routers manufactured by TP-Link and MikroTik. By modifying the devices’ DNS settings, the attackers redirected internet traffic to infrastructure under their control, allowing them to intercept passwords and authentication tokens.

The FrostArmada Campaign

Lumen’s Black Lotus Labs has codenamed the exploitation campaign FrostArmada. The group modified DNS settings on compromised routers to hijack local network traffic, which enabled the passive collection of network data. Microsoft described the effort as a method to capture and exfiltrate authentication credentials without requiring any interaction from the end user.

When a user requested a targeted domain, the actor redirected the traffic to an attacker-in-the-middle (AitM) node. At this point, credentials were harvested, which allowed the hackers to log into the victims’ online accounts. This technique specifically enabled the attackers to bypass two-factor authentication codes by stealing active access tokens.

The U.K. Government’s National Cyber Security Centre (NCSC) stated that these operations were likely opportunistic in nature, with the actor casting a wide net to reach many potential victims, before narrowing in on targets of intelligence interest as the attack develops.

Operation Masquerade

The infrastructure used in the campaign has been disrupted and taken offline through a joint effort involving the U.S. Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and other international partners. This law enforcement effort was codenamed Operation Masquerade.

The DNS hijacking operation allowed Russian intelligence agencies to target individuals of interest to the Kremlin, including those in the military, government, and critical infrastructure sectors.

U.S. Department of Justice

The DOJ announced on April 7, 2026, that a court-authorized technical operation had successfully neutralized the portion of the malicious network located within the United States.

Background on Fancy Bear

Fancy Bear, also known as APT28 or Forest Blizzard, is a Russian state-sponsored cyber espionage group. A 2018 indictment by the United States Special Counsel identified the group as GRU Unit 26165, referring to its unified Military Unit Number within the Russian army regiments.

The group’s association with the GRU has been cited with a medium level of confidence by the cybersecurity firm CrowdStrike. Other security firms, including Mandiant, ThreatConnect, and SecureWorks, as well as the UK’s Foreign and Commonwealth Office, have also stated that the group is sponsored by the Russian government.

Operating since the mid-2000s, Fancy Bear targets government, military, and security agencies, primarily in NATO-aligned states and Transcaucasian regions. The group is also known for targeting international organizations such as the World Anti-Doping Agency.

The group has a history of high-profile operations, including the 2016 breach of Democratic National Committee emails intended to influence the United States presidential election and a 2022 destructive attack against the satellite provider Viasat.

The specific campaign targeting SOHO routers has been active since at least May 2025. Researchers noted that many of the compromised devices were running outdated software, which left them vulnerable to remote attacks without the owners’ knowledge.

Share this:

  • Share on Facebook (Opens in new window) Facebook
  • Share on X (Opens in new window) X

Related

cyber crime, cyber security, Russia's invasion of Ukraine

Search:

News Directory 3

News Directory 3 catalogs US newspapers, news services, newsstands and digital news outlets across all 50 states. Browse local publishers by city, state, or topic, and follow current headlines linked back to their original sources.

Quick Links

  • Disclaimer
  • Terms and Conditions
  • About Us
  • Advertising Policy
  • Contact Us
  • Cookie Policy
  • Editorial Guidelines
  • Privacy Policy

Browse by State

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado

© 2026 News Directory 3. All rights reserved.
For contact, advertising, copyright, issues email: office@newsdirectory3.com