Russian state-backed hackers are turning a common household item, the internet router, into a tool for espionage, according to a stark warning from UK cybersecurity authorities.
The National Cyber Security Centre (NCSC) issued an alert on Tuesday, 5 March 2024, stating that actors “almost certainly” linked to Russian intelligence services are exploiting these devices to harvest information. The agency believes the operations are opportunistic, targeting a wide pool of victims before filtering for those of potential intelligence value as they penetrate further into networks.
This tactic targets what are known as “edge devices” – hardware like routers and security cameras that form the bridge between a private network and the wider internet. Professor Alan Woodward of the University of Surrey noted that such devices are often overlooked. “They can become a weak point,” he said, “and they are quite often forgotten about.”
How a Compromised Router Unlocks Your Network
Once attackers gain control of a router, the potential consequences for users are severe and multi-layered. According to experts, the exploitation allows for credential harvesting, stealing users’ login details. Perhaps more insidiously, a compromised router can silently redirect traffic, meaning a user might think they are visiting their bank’s website but are instead sent to a sophisticated fake site designed to capture their financial information.
From this foothold, attackers can then pivot to other devices. “They can establish themselves on your network, move around your network, and see if the devices on your network – your PC, your phone – have any vulnerabilities,” Professor Woodward explained. This lateral movement turns a single point of failure into a gateway to a user’s entire digital life, whether at home or in a small business.
The NCSC attributes this activity to the group APT28, also known as Fancy Bear, which has a long history of cyber-espionage. The group was behind the 2015 attack on the German parliament, which resulted in the theft of large amounts of data including confidential emails. Professor Woodward added that while the direct link to the Russian state is often obscured through the use of criminal groups, the suspicion of state sponsorship remains strong.
US Responds with Ban on Foreign-Made Routers
The threat to critical network hardware has prompted significant regulatory action in the United States. The US Federal Communications Commission (FCC) recently banned the sale of all consumer-grade internet routers manufactured outside the country, stating they “pose unacceptable risks to the national security of the United States.”
The FCC said malicious actors had exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft. This move stands to severely affect the market, as the vast majority of internet routers are manufactured in China or Taiwan. A notable exception is Elon Musk’s Starlink service, which manufactures a significant portion of its user terminals in Texas.
However, privacy experts caution that a ban on new devices does not address the vulnerabilities in the millions of routers already in use. A more pervasive problem, they note, is the prevalence of older routers that have reached the end of their supported life and no longer receive vital security updates from manufacturers. Professor Woodward’s advice is clear: individuals and small businesses should ensure their routers are kept updated and should monitor for any unusual network activity.
The devastating potential of a router compromise is not theoretical. One of the largest cyber-heists in history, the 2016 theft of $80 million from Bangladesh’s central bank, was enabled because the bank used cheap, secondhand routers that were accessible from the open internet. Hackers, believed to be from a North Korean state-linked group, breached the routers, moved to the bank’s core network, and initiated the fraudulent transfers. As Professor Woodward observed, this method of initial network probing and exploitation is a “classic way that people probe, and it’s almost bound to happen again.”
