Hackers connected to Russia’s military intelligence agency snuck into thousands of Internet routers used in homes and offices worldwide and secretly monitored e-mail traffic and website log-ons and passwords for months, authorities said.
Underscoring concern about the scope of the hack, which experts said was in use for much of late 2025, law enforcement agencies in several countries released simultaneous advisories this week, warning people to check settings on their own routers.
Russian hackers “compromised routers in the US and around the world, hijacking them to conduct espionage,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement. “Given the scale of this threat, sounding the alarm wasn’t enough.”
The effort was engineered by a group widely known as Advanced Persistent Threat 28, or Forest Blizzard, officials and industry experts said. The group has been linked by British, Dutch, and US authorities to Military Unit 26165 of the 85th Main Special Service Center of the GRU, Russia’s military intelligence agency.
The group was previously accused of hacking Democratic Party computers during the 2016 US presidential election campaign. US authorities later charged 12 Russians they identified as GRU officers with the intrusions.
According to US computer giant Microsoft, the Forrest Blizzard hackers broke into 5,000 consumer devices at 200 organizations beginning in August 2025. They tweaked Domain Name System (DNS) settings on the routers, allowing them to collect and monitor any communications passing through.
“For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale,” Microsoft said.
Another research group called Lumen said the technique appeared earlier, in May 2025. At its peak, in December 2025, more than 18,000 devices in at least 120 countries had been hooked up to the GRU hackers’ infrastructure.
“These operations primarily targeted government agencies -- including ministries of foreign affairs, law enforcement, and third-party e-mail providers” Lumen said.
British cyber authorities said the Forest Blizzard group was also behind a hack of Germany’s parliament in 2015, when some lawmakers’ e-mails were stolen, and an attempted hack against the Organization for the Prohibition of Chemical Weapons (OPCW) in 2018.
At the time, the OPCW was researching the chemicals used in the near-fatal poisoning of former Russian GRU officer Sergei Skripal and his daughter, in Salisbury, England. Officials later concluded a nerve agent called Novichok was used in the attack -- a chemical that had been developed by Soviet and Russian scientists.
