Russian Cyber Spies Targeting Consumer, Soho Routers

The recent disclosure by the NCSC and Microsoft shines a spotlight on a sophisticated DNS‑hijacking campaign that leverages everyday broadband routers as covert entry points. By altering DNS settings on compromised devices, APT28 redirects user traffic to servers under its control, enabling adversary‑in‑the‑middle theft of login credentials, passwords, and access tokens. With more than 5,000 consumer routers and over 200 corporate networks affected since August 2025, the operation demonstrates how low‑cost, widely deployed hardware can be weaponised at scale, blurring the line between personal and corporate cyber risk.

While the US Federal Communications Commission’s ban on routers built outside the United States aims to curb foreign supply‑chain threats, the Fancy Bear campaign underscores a deeper problem: firmware vulnerabilities persist regardless of a device’s country of origin. Out‑of‑date software components, weak default credentials, and prolonged support lifecycles create a fertile environment for exploitation. Security analysts argue that focusing solely on hardware provenance overlooks the systemic issue of inadequate patch management and the prevalence of legacy code in network equipment.

Mitigating this threat requires a multi‑layered approach. Organizations should maintain accurate inventories of all network devices, prioritize lifecycle management, and enforce timely firmware updates. Disabling internet‑exposed management interfaces, enforcing unique, strong credentials, and segmenting network zones can prevent a single compromised router from cascading into a full‑blown breach. As routers continue to sit at the network edge, treating them as a critical component of the attack surface is essential for safeguarding both consumer privacy and enterprise data.