The Russian military has been implicated in a widespread operation targeting home and small office routers, with the intent of stealing user credentials. Researchers from Lumen Technologies’ Black Lotus Labs estimate that between 18,000 and 40,000 consumer routers, primarily from MikroTik and TP-Link, have been compromised across 120 countries.
Scope of the Operation
This operation is linked to APT28, a sophisticated threat group associated with Russia’s military intelligence agency, the GRU. APT28 has a long history of cyber espionage, having targeted various governments and organizations globally for over two decades. The group is also known by several other names, including Pawn Storm and Sofacy Group.
Technical Methodology
The attackers exploited older router models that had not been updated to address known security vulnerabilities. By taking control of these routers, they altered DNS settings to redirect users to malicious servers. This allowed the attackers to intercept traffic from users connecting to specific domains, including those associated with Microsoft 365 services.
Once users connected to these compromised routers, their internet traffic was routed through adversary-in-the-middle (AitM) servers, which utilized self-signed certificates. Users who ignored browser warnings about untrusted connections inadvertently allowed the attackers to capture sensitive data, including OAuth tokens and other credentials.
Timeline of Events
The operation reportedly began in May 2025 on a limited scale, but escalated significantly following an alert from Britain’s National Cyber Security Center in August regarding a malware campaign targeting Microsoft Office credentials. Following this alert, APT28 rapidly increased its router hijacking activities, with Black Lotus Labs observing over 290,000 unique IP addresses making DNS requests to the malicious resolver within a four-week period starting December 12.
Recommendations for Users
To determine if a router has been compromised, users are advised to check their DNS settings for any unfamiliar servers and review event logs for unauthorized changes. It is also recommended to replace outdated routers with models that receive regular security updates and to avoid bypassing browser warnings about untrusted TLS certificates.
APT28 has a documented history of targeting routers, including a significant malware campaign in 2018 that affected around 500,000 devices. This ongoing threat underscores the importance of maintaining updated security practices for consumer networking equipment.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
