Russian hacking group targets home and small office routers to spy on users


British security officials found that a group linked to the Russian military is spying on users of compromised Small Office/Home Office (SOHO) routers in a broad cyber espionage campaign.

A Microsoft blog goes into the technical details of these attacks. The group, which researchers will refer to as APT28, but is also known under names like Fancy Bear, BlueDelta, and Forest Blizzard, changes the DNS settings of compromised routers so their traffic is sent through servers under their control, which enables APT28 to spy on users. The domain name system (DNS) is the way that internet domain names are located and translated into Internet Protocol (IP) addresses. Devices usually get network settings from routers using Dynamic Host Configuration Protocol (DHCP).

Read more…
Source: Malwarebytes labs


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Trump administration subpoenas New York Times journalists over new Air Force One reporting

    July 11, 2026

    The Trump administration has issued subpoenas to several New York Times journalists after the newspaper reported on security concerns with the president’s new plane. The Times said its journalists were subpoenaed on Friday by the US justice department to testify before a federal grand jury in Manhattan five days later, marking the latest effort by the Trump White ...

  • Ukrainians are using VPNs to cause havoc in Russia by changing fuel station statuses on maps in a bid to cause chaos and confusion

    July 11, 2026

    A coordinated online campaign has reportedly encouraged users to alter fuel station information on digital maps across Russia, creating confusion among drivers. The activity involves changing station statuses by marking locations with available fuel as empty or showing closed stations as operational. Supporters of the campaign claim the effort is designed to disrupt travel decisions, increase uncertainty, ...

  • Supermarket chain Lidl warns customers after data leak

    July 10, 2026

    Unknown individuals managed to gain access to customer data held by the supermarket chain Lidl. The German company informed affected customers of this via email this week. Thus far, the supermarket chain has declined to say how many customers were affected. However, the discount retailer did state that it has notified the Dutch Data Protection Authority. Read ...

  • No Manners Here: The Ruthless Rise of The Gentlemen Ransomware

    July 10, 2026

    The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling ...

  • Florida ransomware negotiator convicted for helping ransomware gang extort US companies

    July 10, 2026

    Florida man Angelo Martino has been sentenced to more than five years in prison for conspiring with hackers to deploy ransomware during his job as a ransomware negotiator for a U.S. cybersecurity company. The U.S. Department of Justice confirmed the sentence on Thursday, noting that the government seized more than $10 million worth of cryptocurrency and assets. Martino ...

  • Accenture confirms breach after hacker steals 35GB of source code and other data

    July 9, 2026

    Accenture has confirmed suffering a cyberattack, days after threat actors started selling an archive allegedly coming from the firm. “We are aware of this isolated matter, and we have remediated its source. There is no impact to Accenture operations and service delivery,” Accenture said in a statement. It follows a relatively unknown threat actor called 888 posting ...