Russian GRU exploited vulnerable routers worldwide to steal sensitive information, probe reveals

Russian military hackers stole sensitive information from governments, militaries and critical infrastructure, “exploiting vulnerable routers worldwide," the FBI revealed on Wednesday following a major international investigation.

ADVERTISEMENT

ADVERTISEMENT

The US Department of Justice, together with international partners, exposed the large-scale operation, with the Russian hacking group Fancy Bear identified as the culprit.

The hackers, part of Russia's GRU military intelligence agency and known as GRU Unit 26165, redirected internet traffic through ill-protected routers to steal passwords and encrypted data, according to a joint statement.

Ukraine’s security service SBU, which also participated in the investigation, explained that after “compromising” vulnerable internet devices, the Russian hackers redirected their traffic through a pre-deployed network of DNS servers.

“This way, they acted as ‘intermediaries’ in the online space to collect passwords, authentication tokens and other sensitive information, including emails, which under normal circumstances are protected by SSL (Secure Sockets Layer) and TLS (Transport Layer Security) cryptographic protocols," SBU said.

SBU said the GRU operatives planned to use the obtained information to “carry out cyberattacks, information sabotage and the collection of intelligence.”

According to the SBU statement, Russian special services paid particular attention to information exchanged by employees and military personnel of state bodies, units of the Ukrainian army and enterprises within the defence-industrial complex.

The FBI stated that the GRU has “indiscriminately compromised a wide pool of US and global victims and then filtered down impacted users, especially targeting information related to military, government, and critical infrastructure.”

The investigation revealed that the group has been using this technique to acquire data at least since 2024.

Romania, one of the countries participating in the operation, said the GRU cyber operatives “were collecting military, governmental, and critical infrastructure-related information," according to President Nicușor Dan.

“Russia therefore continues its hybrid war against Western countries - only those acting in bad faith could fail to see this," Dan said in a post on X.

Intelligence and law enforcement services in the US, UK, Ukraine, Poland, Germany, Italy, Canada, the Czech Republic, Slovakia, Denmark, Finland, Norway, Romania, Portugal and the Baltic States were all involved in the investigation.

What is 'Fancy Bear'?

The group has been identified as Russian GRU 85th Main Special Service Centre (85th GTsSS) cyber actors, also known as APT28, Fancy Bear, Tsar Team and Forest Blizzard.

A notorious Russian cyber espionage group of the Russian military intelligence agency, it has been active since at least 2004, while some sources claim Unit 26165 — a designation typical for Russian army units — was first formed during the Soviet times in the 1970s.

It is unclear how many members the group has, but US authorities and journalistic investigations have previously revealed evidence that the unit was given state funding and extensive resources by the Kremlin.

Authorities believe Fancy Bear was behind the 2015 hacks of Germany's Bundestag, the French channel TV5Monde, and several US banks including Bank of America.

It was also found to be the main actor in other cyberattacks targeting Ukraine, NATO, OSCE, and defence contractors such as Academi (formerly known as Blackwater), Boeing, Lockheed Martin and others.

Western governments and security experts also blamed Fancy Bear for an attack on the Democratic National Committee ahead of the 2016 US elections.

Also in 2016, Fancy Bear hackers stole athletes’ medical data from the World Anti-Doping Agency or WADA.

They then leaked personal information they had obtained about some of the world’s most famous athletes, including Venus and Serena Williams.