Russian GRU Unit Hijacks Home Routers to Spy on Internet Traffic, Threatening SMEs and Consumers
What Happened – British intelligence disclosed that the Russian military intelligence unit (GRU Unit 26165, aka Fancy Bear/APT28) is compromising vulnerable home and small‑office routers to redirect DNS traffic and conduct man‑in‑the‑middle espionage. The attackers exploit default SNMP community strings and known firmware flaws to gain persistent control.
Why It Matters for TPRM –
- Router compromise creates a covert channel for data exfiltration from any downstream business applications.
- The supply‑chain nature of consumer‑grade networking gear means many third‑party vendors may unknowingly expose client environments.
- Persistent access enables long‑term intelligence gathering on critical business communications.
Who Is Affected – Small‑office/home‑office (SOHO) environments, consumer broadband users, and any organization that deploys TP‑Link router models with weak security settings.
Recommended Actions –
- Inventory all deployed routers and verify firmware is up‑to‑date.
- Disable SNMP v2 or enforce strong, unique community strings.
- Enforce network segmentation to isolate IoT/edge devices from core systems.
- Conduct DNS security monitoring for unauthorized changes.
Technical Notes – Attack vector relies on mis‑configured SNMP (default community strings) and exploitation of unpatched firmware vulnerabilities in TP‑Link models. Once compromised, DNS settings are altered to route traffic through attacker‑controlled servers, enabling credential harvesting and traffic interception. Source: The Record