Russian Hackers Exploited Old Wi-Fi Routers to Steal Data

A Russian military hacking group conducted a spy operation by exploiting security vulnerabilities in old Wi-Fi routers, but their operation was thwarted by the U.S. FBI and Department of Justice. The FBI and the U.S. Department of Justice stated that the hacking group APT28 (also known as Fancy Bear and Forest Blizzard), linked to Russia's GRU military intelligence agency, led this attack. They primarily utilized techniques targeting the vulnerabilities of small office/home office (SOHO) routers.

The hackers altered router settings to covertly redirect internet requests to servers they controlled. They employed a technique to change DNS settings, causing user internet requests to go through hacker-controlled servers when accessing websites. Through this method, they engaged in activities to steal sensitive login information or conduct surveillance. From the user's perspective, they could connect to the internet and browse the web as usual, but their internet traffic was actually being rerouted through a path controlled by the hackers. This attack method is dangerous as it is difficult for users to detect any direct signs of abnormality, showcasing a trend in sophisticated cyber threats.

The Department of Justice and FBI successfully disrupted the network within the United States in April. The TP-Link WR841N was identified as a router model frequently used in the attacks, and the UK's NCSC mentioned additional TP-Link models targeted by APT28. The FBI added that this list may not be exhaustive.

The main reason old routers become security vulnerabilities is the lack of regular updates and maintenance. When a manufacturer discontinues support, known security flaws can remain unpatched. Additionally, users often fail to change the default administrator passwords for their routers, which provides hackers with technical loopholes that facilitate access to the devices.