Router hijacks and AI ransomware

A home router is the traffic cop for every laptop, phone and work login on a network. On April 7, the Justice Department said Russian military hackers had turned that device into a spying tool in homes and small offices. (justice.gov) The Justice Department and the Federal Bureau of Investigation said a court-authorized operation disrupted the United States portion of a network of small-office and home-office routers compromised by Main Intelligence Directorate unit 26165, also known as Fancy Bear and APT28. The agency said the unit had exploited known vulnerabilities and stolen credentials for thousands of TP-Link routers worldwide since at least 2024. (justice.gov) According to the Justice Department, the hackers changed router settings so internet address lookups, known as Domain Name System requests, flowed to servers they controlled. For selected targets, those servers sent back fake records for services including Microsoft Outlook Web Access, letting the operators capture passwords, authentication tokens and email traffic from devices on the same network. (justice.gov) The National Security Agency said the same campaign hit a broad pool of victims in the United States and abroad, with particular interest in military, government and critical infrastructure information. It urged users to change default passwords, disable internet-exposed remote management, install current firmware and replace devices that no longer receive security updates. (nsa.gov) The router case lands as ransomware crews are hitting schools and government systems that often run with thin information technology staffs and old equipment. The Cybersecurity and Infrastructure Security Agency says kindergarten through 12th grade schools face “potentially catastrophic impacts,” and its guidance tells districts to prioritize multifactor authentication, tested backups and patching known flaws. (cisa.gov) Ransomware is malicious software that locks files and systems until a victim pays. In its March 2026 review of incidents from 2025, Google’s threat intelligence team said 77 percent of the ransomware intrusions it analyzed involved suspected data theft, and about 43 percent targeted virtualization systems that can knock out many servers at once. (cloud.google.com) Federal alerts show how often education and government sit in that blast zone. A November 2023 joint advisory on Rhysida said the group hit “targets of opportunity” in education and government, and a March 2025 advisory on Medusa said the operation had affected more than 300 victims across critical infrastructure sectors, including education, by February 2025. (cisa.gov 1) (cisa.gov 2) Artificial intelligence is changing the front end of these attacks more than the back end. Google said in February 2026 that state-backed actors from Russia, China, Iran and North Korea were using large language models for technical research, target profiling and faster phishing messages, while Microsoft’s 2025 defense report said attackers were moving with “the speed of AI.” (cloud.google.com) (microsoft.com) The result is a messier boundary between spying and disruption. The same stolen password can be used to read a mailbox, move deeper into a state network or hand access to a ransomware affiliate that encrypts school payroll, attendance or emergency notification systems. (justice.gov) (cloud.google.com) The Federal Bureau of Investigation has been warning for months that Russian actors are still going after network gear itself, not just the computers behind it. In an August 20, 2025 alert, it said actors tied to the Federal Security Service had collected configuration files from thousands of networking devices linked to United States critical infrastructure and, in some cases, changed those files to keep unauthorized access. (fbi.gov) That leaves one mundane device at the center of two threats at once: the router on the shelf and the school server in the back office. Federal guidance in both cases comes down to the same basics — patch exposed systems, turn on multifactor authentication, keep offline backups and replace aging hardware before an intruder turns it into someone else’s foothold. (nsa.gov) (cisa.gov)