The FBI, BND and BfV warn of attacks by Russian state hackers on TP-Link routers and WLAN extenders. The Fancy Bear group has infiltrated thousands of devices worldwide to steal sensitive data. In Germany, 30 affected devices have already been detected.
International agencies including the FBI, NSA, BND and BfV issued a joint warning on Monday evening. They attribute the attacks to the Fancy Bear group, also known as APT 28, linked to Russia's GRU military intelligence. The hacks target military, government and critical infrastructure data.
Since mid-March, German IT firms, restaurants and private individuals received confidential letters from the BfV. It stated: "A Russian state cyber actor is currently compromising TP-Link network devices." Affected parties were instructed on detecting and fixing infections. In Germany, experts confirmed compromises and are forensically examining devices.
Hackers have exploited a known vulnerability in TP-Link devices since 2024, fixable via firmware updates. Using DNS hijacking, they redirect web requests to controlled servers to steal passwords, emails and browsing histories. The UK's National Cyber Security Centre also reports attacks on MikroTik routers.
The BfV plans to act against APT 28. TP-Link, originally Chinese, faces scrutiny: Texas sued in February, and the US FCC recently banned imports for security reasons.
