What happened
The UK publicly accused a unit of Russia’s military intelligence service of hacking home and small office routers to support cyber espionage operations against targets across Europe and beyond. The activity was attributed to GRU Unit 26165, also known as APT28, Fancy Bear, and Forest Blizzard. According to the government, the group used compromised routers as operational infrastructure to hide malicious traffic and support follow-on intrusions. Officials said the campaign relied on vulnerabilities and weak security in edge devices rather than direct compromise of the final target at the outset. The disclosure was accompanied by technical guidance from the National Cyber Security Centre, CISA, the FBI, and partners, outlining how the actors abused end-of-life and internet-exposed devices to build an anonymization layer for cyber operations.
Who is affected
The direct exposure affects individuals and organizations using vulnerable home and small office routers, especially devices that are internet-exposed, unsupported, or poorly secured. The wider risk extends to government, critical infrastructure, and other organizations whose networks may be targeted through attacker traffic routed across those compromised edge devices.
Why CISOs should care
This matters because the operation shows how compromised consumer and small-business network equipment can become part of a state-backed espionage infrastructure. It also highlights that organizations may face hostile traffic that appears to originate from ordinary residential or small-office networks, complicating attribution, blocking, and incident response.
3 practical actions
- Review edge-device exposure: Identify unmanaged, end-of-life, or internet-exposed routers and similar devices that could be abused as covert infrastructure or as a stepping stone into broader environments.
- Tighten router security basics: Change default credentials, disable unnecessary remote administration, and keep supported devices updated to reduce the risk of device takeover.
- Treat residential-origin traffic carefully: Update detection and response playbooks for the possibility that malicious activity may be proxied through compromised home or small-office routers rather than obvious attacker infrastructure.
For more news about intrusions targeting network infrastructure and identity systems, click Cyberattack to read more.