The Security Service of Ukraine (SBU) has announced that, working in cooperation with the FBI and European Union law enforcement agencies, it had carried out an operation to dismantle a Russian espionage network that operated through hacked Wi-Fi routers. According to the SBU, the investigation uncovered numerous cases of compromised routers installed in Ukrainian offices and homes, as well as in the United States and the EU. It is alleged that the attacks were carried out by Russia’s military intelligence agency, the GRU.
According to the case files, the GRU targeted routers that did not comply with modern security protocols. After gaining access to the devices, the hackers redirected their traffic through a pre-established network of DNS servers. The devices were then used to collect passwords, authentication tokens, and other sensitive information, including emails. During the operation, more than 100 servers were blocked and hundreds of routers in Ukraine alone were removed from the control of the Russian intelligence service.
“The enemy intended to use the obtained data in cyberattacks, information sabotage, and for intelligence gathering. Of particular interest to Russian intelligence was correspondence between employees and military personnel of government agencies, units of the Ukrainian Defense Forces, and enterprises in the defense-industrial complex,” the SBU stated.
Meanwhile, the FBI stated that personnel from the 85th Main Special Service Center of the Russian Defense Ministry (Military Unit 26165), described as the GRU’s hacking division, have been collecting login credentials and exploiting router vulnerabilities worldwide since at least 2024. The FBI noted that this activity has been carried out by the hacking group APT28, also known as Fancy Bear and Forest Blizzard.
Last year, the United Kingdom accused APT28 of conducting a large-scale cyber operation aimed at tracking deliveries of Western aid to Ukraine. According to a joint report by the UK National Cyber Security Centre, U.S. intelligence agencies, and several European countries, GRU hackers gained access to more than 10,000 cameras located near military facilities, railway hubs, and border crossings.
In 2017, The Insider proved that the APT28 group included personnel from GRU Military Unit 26165. A year later, this was confirmed by the U.S. Department of Justice, which formally indicted the hackers. APT28’s most infamous operation was the 2016 hack of Democratic Party servers, carried out to help Donald Trump defeat Hillary Clinton in that year’s presidential election. Trump did not hide the fact that he had used information obtained through the hack for his own political purposes.
APT28 carried out cyberattacks against the White House and other targets in the United States, as well as against the foreign ministries of the Czech Republic, Poland, Germany, Italy, Latvia, Estonia, Ukraine, Norway, the Netherlands, and other countries, along with the defense ministries of Denmark, Italy, and Germany, plus the Bundestag, NATO, the OSCE, the IOC, WADA, the investigative team examining the downing of Malaysia Airlines Flight MH17, and several foreign media outlets, including TV5Monde and Al Jazeera. The same hackers also targeted dozens of Russian opposition figures, NGO members, and journalists, including staff of The Insider, as independently confirmed by four information security companies.
