The UK’s National Cyber Security Centre (NCSC) has warned companies and government agencies that Russian hackers are conducting a malicious campaign to steal passwords and data by targeting TP-Link routers, The Register reports. Perhaps this is part of why TP-Link and other “foreign-made” routers were recently banned from being imported into the United States.
The NCSC report highlights the Russian hacking group APT28, otherwise known as Fancy Bear, which has previously been linked with the Russian Intelligence service, GRU. They’ve been targeting security exploits in small and home-office routers and changing their DNS settings to redirect victims to malicious websites they control, to further exploit targets and distribute damaging malware.
The attack appears to be partly aimed at finding exploits in Ukrainian infrastructure, with the hacking group reportedly also targeting niche MikroTik routers, many of which were located in Ukraine. Compromising them could give Russia information or access to infrastructure that could impact its war goals for its illegal invasion of Ukraine.
“This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors,” said Paul Chicheter, director of operations at the NCSC. “We strongly encourage organizations and network defenders to familiarize themselves with the techniques described in the advisory and to follow the mitigation advice.”
Microsoft published a breakdown of how the attacks worked.
Credit: Microsoft
Microsoft has also been tracking and curtailing the exploit activity. In its report, it highlighted that Russian hacking groups have been targeting TP-Link and similar router brands since August 2025. It shows that the attacks were mostly designed to gain access to upstream organizations, which the groups can then exploit to gain access to otherwise better-monitored or protected environments.
“Forest Blizzard, which primarily collects intelligence in support of Russian government foreign policy initiatives, has also leveraged its DNS hijacking activity to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains,” Microsoft explained. It noted that this could allow Russian hacking groups to intercept cloud data, potentially leaving important institutions such as governments, the energy sector, and telecoms infrastructure vulnerable.
Microsoft software and fake Microsoft services were key components in these attacks. Microsoft noted that faux versions of its Outlook website were used to trick users, and that Russian groups had targeted Microsoft-hosted servers to try to grab sensitive organizational data.
Microsoft and the NCSC encourage organizations to be vigilant in analyzing their DNS traffic for unsuspected activity. Malicious domains should also be blocked outright to prevent the distribution of malicious code, and most importantly, not use home router solutions for enterprise environments where additional security may be required.
