BRITISH security officials found that a group linked to the Russian military is spying on users of compromised Small Office/Home Office routers in a broad cyber espionage campaign, with the activity described in a Malwarebytes article dated 8 April 2026. The group, referred to as APT28 and also known as Fancy Bear, BlueDelta, and Forest Blizzard, changes DNS settings on affected devices so traffic is routed through servers they control, enabling surveillance.
An FBI public service announcement says APT28 has harvested passwords, authentication tokens, and sensitive information including emails and SSL/TLS‑encrypted web browsing data, underscoring the broad reach of the operation. The NCSC advisory singles out a TP-Link WR841N router model with a vulnerability that can expose usernames and passwords via specially crafted HTTP GET requests, though many other TP-Link models are also listed as targets.
Microsoft Threat Intelligence indicates more than 200 organisations and 5,000 consumer devices were impacted by Forest Blizzard’s malicious DNS infrastructure. The piece also notes the wider router ban debate in the US and argues that the security of devices—regardless of origin—matters, as weak defaults and poor update support keep them attractive to attackers.