The Russian military-linked threat group APT28 has again targeted home and small-office routers, compromising an estimated 18,000 to 40,000 devices across 120 countries.
Black Lotus Labs of Lumen Technologies reported that most affected models were MikroTik and TP-Link devices that reached end-of-life and were not patched against known vulnerabilities. The routers were folded into infrastructure controlled by APT28, enabling the group to proxy traffic and hijack DNS lookups for select sites, including domains used by Microsoft 365.
The operation shows a mix of traditional and cutting-edge techniques, with a small number of compromised devices acting as proxies to reach a larger pool of routers tied to foreign ministries, law enforcement, and government agencies targeted by the group.
To hijack traffic, attackers exploited outdated firmware, altered DNS settings, and used DHCP to propagate the malicious configurations to connected workstations. When users visited the affected domains, their connections were routed through malicious servers, allowing the theft of credentials and tokens during authentication flows.
Researchers urge users to verify DNS settings, replace end-of-life routers with supported devices, and apply available patches. The findings highlight the ongoing risk posed by APT28 and similar groups to governments and critical infrastructure worldwide.
