Russian government-linked hackers are compromising popular internet routers to steal passwords for email accounts and other online services, the UK’s National Cyber Security Centre has warned.

The hackers, a group known as APT28, are associated with Russia’s GRU military intelligence agency, according to research published Tuesday by the UK.

British cyber officials said they have observed the alleged Russian intruders targeting routers manufactured by companies such as MikroTik and TP-Link. Attackers obtain access to the routers and modify their settings so that they redirect outgoing internet traffic through servers that they control. MikroTik and TP-Link didn’t immediately respond to requests for comment.

Such attacks put victims at risk of credential theft, data manipulation and broader compromise, according to the alert, which also published guidance on how to mitigate the risks of an intrusion.

Paul Chichester, the centre’s director of operations, said the malicious activity demonstrated that vulnerabilities in commonly used routers could be leveraged by sophisticated hostile actors. 

Lumen Technologies’ Black Lotus Labs also published research on Tuesday on APT28’s router-hijacking campaign

The researchers said they had identified thousands of potential victims from at least 120 countries communicating with the hackers’ infrastructure. "These operations primarily targeted government agencies – including ministries of foreign affairs, law enforcement and third-party email providers,” the researchers said in a report reviewed by Bloomberg News.

The vulnerability of internet routers to attack has become a focus of increasing concern internationally. 

Last month, the US Federal Communications Commission banned the sale of new foreign-made consumer-grade internet routers, saying that they constituted a "supply-chain vulnerability” and could pose "a severe cybersecurity risk that could be leveraged to immediately and severely disrupt US critical infrastructure and directly harm US persons.” – Bloomberg