Germany’s domestic intelligence service has identified a widespread Russian cyber espionage operation that compromised thousands of home Wi-Fi routers across Europe, including dozens on German soil, in an attempt to harvest military and government secrets.
Router vulnerabilities exploited for data harvesting
The Federal Office for the Protection of the Constitution (BfV) stated that hackers linked to Russian military intelligence targeted several thousand TP-Link routers in multiple countries, with approximately 30 devices affected within Germany. The attackers exploited security weaknesses in older internet routing equipment to gain access to sensitive information, including defence-related data and details about critical national infrastructure. By infiltrating these devices, the operatives sought to redirect internet traffic through controlled networks, enabling the interception of passwords, authentication tokens, and other confidential material.
State-sponsored hacking group behind attacks
The cyber campaign has been attributed to the advanced persistent threat group known as APT28 or Fancy Bear, which Western intelligence agencies have long associated with Russia’s military intelligence directorate (GRU). The involvement of this specific group indicates a state-sanctioned operation rather than isolated criminal activity. German domestic intelligence agency officials noted this pattern represents an escalation in Moscow’s hybrid warfare tactics against European nations supporting Ukraine.
Expansion of hybrid warfare tactics
Security analysts view these router compromises as part of a broader Russian strategy to transfer cyber warfare methods developed during the conflict in Ukraine to European territory. The objective appears to be undermining trust in digital infrastructure and creating an atmosphere of persistent vulnerability within EU member states. Similar router hijacking operations were documented in March by security services in Ukraine, the United States, and EU countries, where compromised devices were used to harvest credentials for targeted phishing campaigns against government and corporate entities.
Historical pattern of Russian cyber operations
This incident follows multiple previous accusations against APT28 by German authorities, including cyber attacks targeting the Bundestag, air traffic control systems, and political party websites. Since Russia’s full-scale invasion of Ukraine in February 2022, such operations have increased in frequency and sophistication across Europe. The current campaign demonstrates how cyber space has become a primary battlefield where Moscow seeks strategic advantage without direct military confrontation, aiming to destabilise democratic institutions and erode public confidence.
Security recommendations and international coordination
German security officials have urged citizens and organisations to implement basic protective measures, including regularly updating router firmware, using complex passwords with two-factor authentication, and monitoring for suspicious network activity. At the governmental level, European nations are being called to deepen intelligence coordination between EU and NATO members, as collective response mechanisms are considered essential for rapidly detecting and neutralising such sophisticated threats. The enduring nature of these cyber campaigns suggests they will remain a persistent challenge for Western democracies.
