Australia’s cyber security agencies, alongside partners from the Five Eyes intelligence alliance have issued a joint advisory warning organisations to improve the security of their routers and network edge devices in response to active targeting by Russian state-sponsored threat actors. The advisory, published by the Australian Signals Directorate’s Australian Cyber Security Centre, identifies the Russian General Staff’s Main Intelligence Directorate (GRU) Unit 26165, also tracked as APT28 or Fancy Bear, as the group responsible for the malicious activity. The campaign has been observed targeting routers across government, military, defence, transportation, and critical infrastructure sectors, with the threat actors exploiting both known vulnerabilities and weak configurations to gain persistent access to victim networks.
The advisory details that attackers are primarily leveraging poor router hygiene, including the use of default credentials, outdated firmware, and exposed management interfaces, to compromise devices and establish footholds within targeted networks. Once inside, the threat actors have been observed conducting reconnaissance, intercepting network traffic, and using compromised devices as anonymous relay points to further their operations. The advisory notes that small office and home office (SOHO) routers are of particular concern, as they are frequently overlooked in routine security maintenance and often lack the monitoring capabilities found in enterprise-grade equipment.
Organisations are being strongly urged to take immediate steps to harden their network infrastructure, including changing default credentials, disabling unnecessary remote management services, applying available firmware updates promptly, and monitoring for unusual outbound traffic. The agencies also recommend that network administrators audit their exposed attack surface and consider replacing end-of-life devices that are no longer receiving security patches.