Russian State-Sponsored Hackers Compromised Thousands of Home Routers to Steal Passwords

Russian state-sponsored hackers have compromised thousands of home routers to steal passwords and other credentials, as reported by TechCrunch. The intrusions affected devices from manufacturers such as TP-Link, Netgear, Synology, QNAP, and D-Link. Cybersecurity researchers from Lumen's Black Lotus Labs detected the activity, which involved malware deployment to extract sensitive data.

The hackers, linked to Russian intelligence, targeted routers in the United States, Europe, and Asia. The operation began as early as 2020 and continued through at least mid-2023. Affected users included households and small businesses relying on these devices for internet connectivity.

the Intrusion Black Lotus Labs analyzed network traffic and identified over 8,000 compromised routers.

The malware, known as VPNFilter variants and custom implants, allowed remote access and data exfiltration. Routers were reprogrammed to serve as proxies for further attacks, potentially enabling command-and-control operations. The stolen credentials included login details for email, social media, and financial services.

No specific number of victims was disclosed, but the scale suggests widespread exposure. Manufacturers have issued firmware updates to mitigate the risks, though not all devices received them promptly.

points to the Russian Fancy Bear group, also known as APT28, based on code similarities and tactics observed in prior campaigns.

Hackers exploited known vulnerabilities in router firmware, such as outdated software and weak default passwords. The campaign aimed to build a botnet for espionage and disruption. U.S. cybersecurity agencies, including CISA, have warned about similar threats from state actors.

Affected parties are advised to reset devices, update firmware, and change default credentials. International cooperation may lead to further investigations into the operation's full extent.