Russian APT28 Exploits Vulnerable Routers in Large-Scale Credential Theft Campaign The UK’s National Cyber Security Centre (NCSC) has issued a warning about two ongoing cyberespionage campaigns by the Russian hacking group APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy), which is linked to Russia’s GRU military intelligence unit. Since early 2024, APT28 has been hijacking vulnerable internet routers particularly TP-Link models to redirect traffic through attacker-controlled servers and steal credentials from targeted organizations. ### How the Attack Works APT28 has repurposed virtual private servers (VPS) as malicious DNS servers, intercepting high volumes of DNS requests from compromised routers. The group employs an opportunistic approach, initially casting a wide net to identify potential victims before narrowing down targets of intelligence value. In one campaign, APT28 exploited CVE-2023-50224, a vulnerability in TP-Link WR841N routers that allows unauthenticated attackers to extract credentials via crafted HTTP requests. By altering the DHCP DNS settings on these routers, the group forced downstream devices (such as laptops and phones) to resolve requests through their malicious servers. This enabled adversary-in-the-middle (AitM) attacks, allowing APT28 to harvest passwords, OAuth tokens, and other credentials from web and email services. Microsoft Threat Intelligence further reported that APT28 and its sub-group Storm-2754 have been compromising SOHO routers since at least August 2023, expanding their infrastructure to facilitate these attacks. ### Impact and Attribution The NCSC assesses that APT28’s operations are highly targeted, focusing on entities of strategic interest to Russian intelligence. While the initial router compromises appear broad, the group refines its focus at later stages to prioritize high-value victims. The stolen credentials could enable further unauthorized access, though the exact scope of follow-on attacks remains unclear. This campaign underscores the persistent threat posed by state-backed cyber actors leveraging common vulnerabilities in consumer-grade networking devices to conduct large-scale espionage.

FancyBear’s Major OpSec Blunder Exposes Espionage Campaign Targeting European Governments and NATO In a rare operational security failure, Russian state-linked hacking group FancyBear (APT28/Forest Blizzard/GRU Unit 26165) inadvertently exposed a long-running cyberespionage campaign after leaving a server unsecured for over 500 days. The breach, first detected by threat intelligence firm Hunt.io on January 13, 2026, and later analyzed by Ctrl-Alt-Intel, provided researchers with unprecedented visibility into Operation Roundish, an active campaign targeting government and military entities across Europe. The exposed server a NameCheap Virtual Private Server (VPS) hosted in the U.S. at IP 203.161.50.145 had been previously attributed to FancyBear by Ukraine’s CERT-UA in September 2024, yet the group continued using it without interruption. The open directory contained 2,800 exfiltrated government and military emails, 240 stolen credentials (including passwords and TOTP 2FA secrets), 140 silent email-forwarding rules, and 11,500 harvested contact addresses from victims in Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Notably, the stolen data included email addresses tied to four NATO member states, including NATO’s own headquarters infrastructure. A second exposed directory, discovered by Ctrl-Alt-Intel, revealed even more sensitive material: FancyBear’s full command-and-control (C2) source code, additional JavaScript payloads, campaign telemetry logs, and further exfiltrated data. The targeting pattern aligned with geopolitical priorities, with Ukraine’s regional prosecutors (likely linked to war crimes investigations) as the largest victim group. Other high-profile targets included Romania’s Air Force, Greece’s National Defence General Staff, Serbia’s Ministry of Defence, and Bulgarian government entities all nations involved in recent military cooperation, such as Greece’s training of Ukrainian F-16 pilots and a 2024 military mobility agreement between Romania, Bulgaria, and Greece. The most alarming technical aspect of the campaign was FancyBear’s method for silently bypassing 2FA. Using a JavaScript module (keyTwoAuth.js), the group exploited a Roundcube webmail XSS vulnerability to extract TOTP secrets and recovery codes from authenticated sessions without victim interaction. The module parsed the twofactorgauthenticator plugin settings, encoded the stolen data, and exfiltrated it to the group’s C2 server (zhblz.com) under the log prefix ktfu. Researchers recovered 516 log entries from 108 unique victim addresses, with 256 accounts having their TOTP secrets compromised including targets at Romania’s Air Force, Greece’s GEETHA, Ukraine’s Asset Recovery Agency, and Serbia’s Ministry of Defence. The remaining 260 accounts had no 2FA enabled, making them trivial to access. The exposure underscores the group’s persistent reliance on known infrastructure despite prior attribution, as well as the sophistication of its 2FA bypass techniques. While the incident provides defenders with critical intelligence, it also highlights the ongoing threat posed by FancyBear to NATO-aligned governments and military organizations.

Russian GRU-Linked Hackers Exploit Routers in Global Credential Theft Campaign The U.K.’s National Cyber Security Centre (NCSC) has issued a warning about a sophisticated cyber espionage campaign conducted by APT28, a hacking group tied to Russia’s GRU military intelligence agency. The attackers are compromising widely used internet routers primarily from manufacturers MikroTik and TP-Link to intercept and redirect traffic through malicious servers under their control. By altering router settings, the hackers gain the ability to steal passwords, manipulate data, and expand access to targeted networks. The NCSC’s alert highlights the risks of credential theft and broader system compromise, though neither MikroTik nor TP-Link has publicly responded to the findings. Paul Chichester, the NCSC’s Director of Operations, emphasized that the campaign exploits vulnerabilities in common networking hardware, underscoring the threat posed by state-backed actors targeting critical infrastructure. Parallel research from Lumen Technologies’ Black Lotus Labs revealed the campaign’s global scale, identifying thousands of potential victims across at least 120 countries. Primary targets included government agencies such as foreign ministries and law enforcement as well as third-party email providers. The incident reflects growing international concern over router security. In a related move, the U.S. Federal Communications Commission (FCC) recently banned the sale of certain foreign-made consumer routers, citing supply-chain vulnerabilities that could enable large-scale disruptions to critical infrastructure. The NCSC and Lumen’s findings provide technical guidance for mitigating such attacks, though the full scope of the campaign’s impact remains under investigation.