Russia’s military intelligence agency, the GRU, has been compromising consumer-grade TP-Link and MikroTik routers to intercept Microsoft Outlook login credentials, according to coordinated warnings from U.S. and U.K. security agencies. The operation, attributed to the GRU’s 85th GTsSS, also tracked as APT28, Fancy Bear, and Forest Blizzard, uses hijacked routers to redirect DNS traffic and position attackers between victims and legitimate email servers. The campaign targets passwords and access tokens from personal web and email accounts, raising direct risks for individuals and organizations whose network equipment runs outdated firmware.
What is verified so far
The attack chain works in a specific sequence: APT28 first exploits known vulnerabilities in consumer routers, then modifies DHCP and DNS settings on the compromised device, and finally positions itself as an adversary-in-the-middle between the victim and legitimate services. That technical breakdown comes from a detailed NCSC advisory that maps the activity to the MITRE ATT&CK framework and publishes extensive infrastructure indicators, including multiple IP ranges tied to malicious DNS and adversary-in-the-middle clusters. By sitting between the user and the real server, the attackers can silently collect login credentials, session tokens, and other authentication material without the victim noticing anything unusual.
The U.S. side of the disclosure centers on an FBI public service announcement, backed by the NSA, that ties the router exploitation specifically to TP-Link devices and references a cited CVE. In its supporting statement, the NSA describes how Russian operators from the GRU’s 85th GTsSS use these compromised routers to collect credentials from targeted users. The release explicitly names the 85th GTsSS and its overlapping threat-actor labels (APT28, Fancy Bear, and Forest Blizzard), and confirms that the operation’s primary goal is credential collection, which aligns with the UK findings about harvesting passwords and access tokens from email platforms.
On the U.K. side, the government framed the disclosure as exposing Russian military intelligence hijacking vulnerable routers for cyber attacks. In its public communication, the NCSC explains that GRU-linked actors have been abusing weakly secured devices in homes and small businesses to harvest login credentials, including passwords and access tokens, from personal web and email services. The language is direct: this is state-sponsored credential theft conducted through everyday network equipment that many users rarely update or monitor.
The NCSC has also been using its broader reporting platform to highlight patterns in Russian state-linked activity, and defenders can consult the agency’s threat reporting for additional technical context and related incidents. Together, these publications sketch a consistent picture of a long-running GRU capability focused on compromising edge devices and abusing them as infrastructure for espionage operations.
This is not the first time U.S. authorities have acted against GRU-controlled router infrastructure. The Department of Justice previously conducted a court-authorized disruption of a botnet built on compromised small-office and home-office routers. In that operation, described in a DOJ announcement, U.S. officials obtained a warrant to send commands to infected devices and remove the malware, taking care to avoid permanent changes to the hardware. That earlier action involved testing on affected firmware and publishing a redacted affidavit describing how agents neutralized the threat without damaging the routers. The fact that the U.S. government has already gone through a federal court to dismantle one GRU router botnet signals how seriously officials treat these campaigns.
Separately, CISA has flagged Russian state-sponsored cyber threats to critical infrastructure in broader joint advisories. In one such alert, the agency and its partners warn that Russian operators have targeted critical sectors using a mix of state-sponsored and criminal tools, reinforcing the idea that router exploitation is one component of a much broader threat landscape. While that advisory is not limited to TP-Link or MikroTik equipment, it underscores the strategic value Moscow places on gaining footholds in Western networks.
What remains uncertain
Several important details are absent from the public record. Neither the U.S. nor U.K. advisories specify how many routers have been compromised in this particular campaign, or what proportion of affected devices are TP-Link versus MikroTik. The NSA statement references a CVE tied to TP-Link exploitation, but the exact scope of affected firmware versions and model numbers has not been published in the materials reviewed. For MikroTik devices, the situation is even less clear: the NCSC advisory describes router compromise broadly without providing a device-specific breakdown for that brand.
TP-Link and MikroTik have not, based on the cited sources, issued public statements in these documents about patching timelines or which firmware builds are vulnerable. That gap matters because router owners typically need explicit vendor guidance to know whether their device requires an update or configuration change. Without that information, users are left relying on general best practices: changing default credentials, disabling remote management interfaces when not needed, and checking for firmware updates manually through device administration pages.
Microsoft has also not released any public assessment in these advisories of how many Outlook accounts may have been affected by the credential harvesting. The government statements describe the technique and its targets but stop short of quantifying victim impact or naming specific organizations. Whether the stolen credentials were used for follow-on espionage, lateral movement into corporate networks, or data theft has not been disclosed in the reviewed materials, leaving the operational endgame largely inferred rather than documented.
There is also an open question about timing. The DOJ’s earlier botnet disruption targeted a previous GRU campaign, and the relationship between that operation and the current router-hijacking activity is not explicitly spelled out. It is possible the current warnings describe an evolution of the same capability, a parallel effort using similar tradecraft, or an entirely separate operation that happens to reuse some infrastructure patterns. The government statements do not clarify this sequence, and without that chronology, it is difficult to judge how quickly APT28 adapts when its tools and infrastructure are exposed.
Another unknown is how many compromised routers remain under adversary control today. The NCSC and NSA advisories provide indicators of compromise and configuration changes defenders should watch for, but they do not state whether law enforcement has attempted a new round of technical remediation similar to the earlier DOJ botnet case. That leaves open whether the current response is limited to warning and guidance or includes active disruption behind the scenes.
How to read the evidence
The strongest evidence in this case comes directly from government agencies with operational visibility into the threat. The NSA, FBI, NCSC, and DOJ are all primary sources, and their statements carry the weight of classified collection, incident response work, and, at least in the DOJ’s case, federal court oversight. When the NCSC publishes IP ranges associated with malicious DNS clusters and maps activity to specific MITRE ATT&CK techniques, that constitutes actionable technical intelligence, rather than speculative analysis. Network defenders can use those indicators immediately to scan logs, update blocklists, and hunt for adversary-in-the-middle behavior.
The DOJ’s earlier botnet takedown offers an additional layer of corroboration. By describing how investigators identified and neutralized GRU-controlled infrastructure, the department effectively validates the broader picture of Russian military intelligence leaning on compromised routers as a flexible platform. The court filings referenced in the DOJ release show that this is not just an attribution claim but a pattern of activity serious enough to justify intrusive but carefully constrained remediation measures on privately owned hardware.
At the same time, the gaps in public detail (especially around scale, specific device models, and victim impact) mean the picture is incomplete. Governments appear to be balancing the need to warn users and defenders against the risk of revealing too much about intelligence sources and methods. That trade-off is common in state-level cyber disclosures, and it explains why the advisories focus heavily on technical indicators and mitigation steps rather than narrative timelines or case studies.
For readers and security teams, the most reasonable interpretation is that GRU-linked operators are systematically exploiting poorly managed routers as entry points and relay nodes, and that this activity has been persistent enough to trigger multiple public warnings and at least one high-profile disruption. Even without exact numbers, the convergence of U.S. and U.K. reporting, the alignment of technical details, and the precedent of earlier operations together support a clear takeaway: keeping consumer and small-office routers patched, locked down, and monitored is now a front-line defense against state-sponsored credential theft.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
