Joint operation by authorities curbs Russian cyber espionage

Joint operation by authorities curbs Russian cyber espionage

The Finnish Security and Intelligence Service and the National Cyber Security Centre Finland at Traficom warn people in Finland about Russia's practice of exploiting poorly secured home routers and other network devices for cyber espionage.

An international joint operation by authorities has successfully disrupted cyber espionage activity by Russia's military intelligence service GRU by preventing the use of a global cyber espionage network made up of compromised network devices. From Finland, the Finnish Security and Intelligence Service (SUPO) and the National Cyber Security Centre Finland (NCSC-FI) at Traficom took part in the operation led by the United States Federal Bureau of Investigation (FBI).

A cyber threat actor linked to the GRU, also known as APT28, Fancy Bear and Forest Blizzard, has in recent years made extensive use of poorly secured home routers as part of its global cyber espionage infrastructure. The international joint operation targeted TP-Link routers compromised by the GRU that had not been patched against vulnerability CVE-2023-50224. This vulnerability allows an attacker to send a request to the device that reveals passwords or keys stored on it, thereby enabling the attacker to take control of the device.

The GRU has used compromised network devices to spy on device users by modifying the devices' domain name system (DNS) settings. This has enabled adversary-in-the-middle attacks and the decryption of encrypted network traffic. Compromised network devices have also been used as part of an operational security (OPSEC) infrastructure, which both disguises cyber espionage traffic as ordinary network traffic and makes it more difficult to detect, identify and trace the perpetrator. The GRU's interests have included non-disclosable information relating to military activities, central government and critical infrastructure.

In Finland, SUPO and the NCSC-FI worked together to counter cyber threats targeting Finland and carried out via Finland. During the joint operation, the authorities informed the owners of at-risk routers, cleaned devices that the GRU had the capability to compromise and blocked the GRU's access to the devices in cooperation with their owners. However, Russian intelligence services pose a continuous and long-term intelligence and cyber threat to Finland, and disabling a single network of compromised devices does not remove the threat.

Securing home devices helps prevent cyber espionage

The authorities warn that Russia is using poorly secured internet-connected network devices worldwide to gather intelligence. The purpose of the warning is to encourage device owners and cybersecurity professionals to reduce the opportunities for online espionage through their own actions.

A poorly secured router can, without the owner's knowledge, enable cyber espionage or other malicious activity. Everyone in Finland can improve network security by taking care of their own network devices. Devices, applications and software should be kept up to date and updates should be installed regularly. When home network devices are current, updated and supported by the manufacturer, the risk of them being used in cyberattacks is significantly reduced.

Further information on how to secure your own devices is available on the NCSC-FI website:

• Home network and router security | NCSC-FI

The FBI published a joint warning by the authorities on 7 April 2026:

• Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information | Internet Crime Complaint Center

Technical information on APT28's activities:

• APT28 exploit routers to enable DNS hijacking operations | NCSC-UK

Enquiries
SUPO communications, tel. +358 50 402 6981, [email protected]
Traficom media service, tel. +358 29 534 5648