Russian military hacked 18,000 to 40,000 consumer routers across 120 countries to intercept credentials
Lumen Technologies researchers disclosed that APT28, a GRU-linked threat group, exploited end-of-life routers made by MikroTik and TP-Link to redirect users to credential-harvesting sites, escalating operations after public disclosure of a related malware campaign.
2 sources · cross-referenced
- Russian military intelligence group APT28 compromised between 18,000 and 40,000 consumer routers primarily from MikroTik and TP-Link across 120 countries.
- Attackers exploited unpatched routers to modify DNS settings and intercept traffic to Microsoft 365 and other authentication services, capturing OAuth tokens and credentials after users completed multi-factor authentication.
- The operation escalated dramatically in August 2025 following public disclosure of a related credential-stealing campaign, with over 290,000 distinct IP addresses observed querying malicious DNS resolvers in a four-week period starting December 12.
- Black Lotus Labs researchers attributed the campaign to APT28, also known as Forest Blizzard, which has targeted government ministries and law enforcement agencies worldwide for espionage.
- Users can check DNS settings for unrecognized servers and should replace aging routers with devices receiving regular security patches to mitigate risk.
Researchers at Lumen Technologies' Black Lotus Labs reported that between 18,000 and 40,000 consumer routers, predominantly MikroTik and TP-Link models, were compromised by APT28, a Russian military intelligence division known as the GRU. The campaign affected devices across 120 countries and relied on exploiting unpatched security vulnerabilities in end-of-life hardware.
The attack methodology combined DNS hijacking with man-in-the-middle interception. Once attackers gained router access, they reconfigured DNS settings for targeted domains including Microsoft 365 authentication endpoints, then propagated these malicious settings to connected devices via DHCP. Users visiting compromised domains encountered self-signed certificate warnings; those who clicked through had their traffic proxied through attacker-controlled servers that captured authentication tokens and credentials—including those generated after multi-factor authentication completion.
The campaign's timeline shows tactical responsiveness to security disclosures. Initial compromises began in May 2025 at limited scale. When the UK's National Cyber Security Center publicly documented a related malware operation in August 2025, APT28 rapidly shifted tactics, scaling the router hijacking campaign substantially. Black Lotus observed over 290,000 distinct IP addresses querying the group's malicious DNS resolvers during a single four-week window in December 2025.
APT28, tracked under multiple aliases including Forest Blizzard, Pawn Storm, Sofacy Group, and STRONTIUM, has targeted foreign ministries and law enforcement networks through this infrastructure. Researchers noted the group employed the large language model tool 'LAMEHUG' alongside traditional attack techniques, demonstrating operational continuity despite public exposure of earlier campaigns.
The incident echoes APT28's prior router compromises: a 2018 operation infected approximately 500,000 devices, primarily in the US, with VPNFilter malware, and another campaign was intercepted by the US Justice Department in 2024. Mitigation requires users to verify DNS settings for unrecognized servers, inspect logs for unauthorized DNS configuration changes, and prioritize replacement of aging routers with devices receiving regular firmware updates.
- Apr 24, 2026 · arXiv cs.AI
New framework enables LLMs to discover and reuse skills for long-horizon game-playing tasks
Trust69 - Apr 24, 2026 · arXiv cs.AI
Researchers propose policy-grounded metrics to replace agreement-based evaluation in AI content moderation
Trust70 - Apr 24, 2026 · Google DeepMind — Blog
Google DeepMind proposes Decoupled DiLoCo for resilient distributed AI model training across data centers
Trust69