Officials believe the hacking group used the stolen data to conduct cyberattacks, information sabotage and intelligence gathering and focused on military, government and critical infrastructure targets.
“The Russians tried their best to cover all vulnerable routers, while redirecting requests only to domains they were interested in. For example, *.gov.ua, or with names corresponding to Microsoft Outlook, military systems,” said a law enforcement official taking part in the joint operation, granted anonymity to disclose more details.
Ukraine’s SBU said “the Russian special services paid special attention to information exchanged between employees and servicemen of state bodies, units of the Ukrainian Defense Forces and enterprises of the defense-industrial complex.”
Agencies tied the campaign to hacking group Fancy Bear (also known as APT28 and Forest Blizzard), which has previously been identified by Western officials as part of the Russian military intelligence service GRU.
Hackers exploited weaknesses in routers since at least 2024, including in popular TP-Link routers. By hacking the routers, they were able to snoop on data exchanges from mobile devices and laptops and bypass encryption protocols, security services said.