An international law enforcement operation has disrupted a cyber espionage network linked to Russia's military intelligence service. The operation was led by the American Federal Bureau of Investigation (FBI) and carried out in cooperation with the Finnish Security and Intelligence Service (Suojelupoliisi, SUPO) and the Cybersecurity Centre at the Finnish Transport and Communications Agency (Traficom). This was announced by the Finnish Security and Intelligence Service in a press release.
The operation targeted a global network of hijacked internet-connected devices, primarily home routers, which are alleged to have been used in espionage activities. According to the authorities, a cyber actor linked to the Russian military intelligence service GRU (Glavnoye Razvedyvatelnoye Upravleniye) exploited poorly secured routers to collect information and conceal its traffic.
Certain routers manufactured by TP-Link are reported to have been particularly vulnerable. Through a known security flaw, attackers were able to gain access to stored login credentials and subsequently take control of the devices.
A GRU-affiliated cyber threat actor, also known by the names APT28, Fancy Bear, and Forest Blizzard, has in recent years specifically exploited poorly secured home routers as part of its global cyber espionage infrastructure. This vulnerability allows the attacker to expose stored login credentials through an information request and exploit them by hijacking the device for the attacker's use, the Finnish Security and Intelligence Service writes in the press release.
Once a router had been hijacked, it could be used to redirect internet traffic and carry out so-called man-in-the-middle attacks. In this way, attackers can in certain cases intercept or manipulate data traffic. The devices can also be used as intermediaries in larger cyber operations, making the activity more difficult to detect and trace.
According to the authorities, the activity has been directed, among other things, at information connected to military operations, government administration, and critical infrastructure.
The Finnish Security and Intelligence Service and the Cybersecurity Centre state that they identified at-risk routers in Finland, informed their owners, and took measures to prevent continued access. At the same time, the authorities emphasise that the threat from Russian intelligence and cyber activity is long-term.
During the joint operation, the authorities informed the owners of the at-risk routers, cleaned the devices that the GRU had the capability to access, and prevented the GRU from gaining access to the devices in cooperation with their owners. The Russian intelligence services nonetheless constitute a continuous and long-term intelligence and cyber threat against Finland, and the dismantling of a single device network does not eliminate the threat, the Finnish Security and Intelligence Service writes in the press release.
The authorities also urge private individuals to improve the security of their home networks, for example by updating routers and using strong passwords. This can reduce the risk of equipment being exploited in cyber attacks or espionage.

