Germany intelligence agency warns of Russian APT28 cyber spying

On Tuesday, Germany’s Federal Office for the Protection of the Constitution (BfV) issued a new warning concerning cyber attacks being carried out against German companies, agencies and critical infrastructure by Russian military intelligence (GRU) hacker group APT28 (Fancy Bear). Specifically, the cyber attacks were due to vulnerabilities found in TP-Link routers which were used to hijack their DNS settings and then intercept communications. The agency indicated that they have 30 confirmed cases of hacked routers in Germany and that there are thousands of TP-Link routers being hacked globally.

The BfV coordinated their warning with Germany's foreign intelligence agency (BND) and the U.S. FBI by advising all Federal employees and agencies to replace their routers immediately due to this continued threat. Because APT28 has been continuing to work through command-and-control servers in an effort to maintain persistence for espionage operations within their hacked-enterprise networks, the agency has made a recommendation that hardware be swapped out of their infected networks where they know of confirmed infection and do so immediately prior to the next planned operation against them.

APT28 has a long history of targeting German military and government systems, such as the hack of 16,000 documents from the German Parliament in 2015, the hack of the SPD in 2024 using the Microsoft Outlook security flaw (CVE-2023), and disrupting air traffic controls. Prior to the current campaign, APT28 had been using the CVE-2023-50224 vulnerability found in both TP-Link and MikroTik routers in order to establish a foothold within their networks.

Using low-cost router compromises allows cybercriminals to gain access to private networks without having to deploy Malware directly onto those networks, thereby avoiding all endpoint detection methods. BfV has also expressed the risk of supply chain problems with common consumer network hardware and recommended that enterprises utilize enterprise-level products with ongoing firmware/applicability updates.

As the ongoing Ukraine conflict worsens, escalating NATO cyber tensions will increase scrutiny being placed on German companies that operate as one of the main logistical hubs supplying 40% of the military supplies for Europe.

All three Western sources (US – CISA, UK - NCSC, EU - ENISA) unanimously identified APT28 as State Sponsored. Mitigation of risk to German companies includes patched firmware, increased network segmentation, and improved behavioral analytics.

With the increased impact to business, Cybersecurity companies listed on the DAX saw stock prices rise between 3-5% during the intraday trading session, and are projected to receive more than $2.3 billion of investment from German companies by 2026. Finally, router manufacturers can expect liability due to their role in providing router products used in the SolarWinds incident.