Home routers used as surveillance tools: Microsoft and British experts reveal architecture of large-scale hacking campaign

Microsoft, together with the UK’s National Cyber Security Centre (NCSC), has published a detailed technical analysis of a cyber operation linked to Russian military intelligence. The activity had previously been identified by the Security Service of Ukraine (SBU), the FBI, and EU law enforcement agencies, but the new findings provide a deeper look into the structure and methods of the infrastructure behind the attacks.

Compromise through consumer routers

At the core of the campaign were SOHO devices — home and office Wi-Fi routers that often remain unpatched and operate with default security settings. These devices represented the most vulnerable entry point, with widely used models such as TP-Link among those affected.

After gaining access to the routers, attackers modified network configurations, primarily DNS settings. This allowed them to reroute internet traffic through infrastructure under their control and covertly monitor data flows.

Data interception via traffic manipulation

By altering DNS records, the compromised devices effectively became intermediary nodes for data transmission. As a result, a significant portion of user internet traffic was routed through attacker-controlled infrastructure.

This approach enabled the interception of sensitive information, including login credentials, authentication tokens, and other access data. At the same time, the connection appeared normal to users, making detection significantly more difficult.

Technical profile of the infrastructure

Analysis of the server-side setup revealed recurring technical indicators suggesting a centralized command structure:

• SSH access over TCP port 56777 with dnsmasq DNS service version 2.85 on UDP port 53
• SSH access over TCP port 35681 with the same DNS component

Some nodes lacked DNS services entirely, indicating a separation of roles within the network — with certain servers used for control and others for traffic relaying and processing.

Routers as a masking layer

Compromised devices were used not only for interception but also as intermediary proxy nodes. This helped conceal the true origin of the attacks and distribute network load across multiple points.

In effect, the infected routers formed a distributed obfuscation layer through which both user traffic and command-and-control data were routed.

Scale and operational logic

According to researchers, the campaign was large-scale in nature. It began with widespread compromise of available devices, after which the infrastructure was used to identify and prioritize targets.

Potential targets included government institutions, military organizations, and defense sector enterprises.

Cybersecurity recommendations

Experts recommend regularly updating router firmware, setting strong and unique administrative passwords, and disabling remote access when not required.

If a device is no longer supported by the manufacturer and no longer receives security updates, it is considered vulnerable, and replacement is advised.