Adversary Intelligence — 2026-04-09

Fifteen-Nation Investigation Exposes GRU Unit 26165 Global Router Exploitation Campaign

A coalition of 15 nations including the U.S., UK, Ukraine, Poland, Germany, and Romania published findings of a GRU Unit 26165 (APT28/Fancy Bear) campaign that compromised vulnerable routers worldwide to steal passwords, authentication tokens, and encrypted data by redirecting internet traffic through DNS servers acting as intermediaries. Active since at least 2024, the operation targeted military personnel, state bodies, and defense contractors, with Romania reporting collection of military, governmental, and critical infrastructure intelligence. The campaign defeated SSL/TLS encryption protections, enabling interception of emails and credentials at scale.
The 15-nation coordinated disclosure is itself an intelligence operation; attributing GRU activities at this scale requires sharing classified collection across allied services. The DNS hijacking technique, using compromised SOHO routers, circumvents end-to-end encryption, a capability particularly valuable against Ukrainian military communications using commercial internet infrastructure. Romania's specific reporting of military and government data collection confirms NATO-member targeting.
Sources: Euronews · The Record
Read in full briefing →