# Russian State-Linked APT28 Weaponizes Thousands of SOHO Routers in Massive DNS Hijacking Campaign


A sophisticated cyber espionage operation attributed to Russia's military intelligence has compromised tens of thousands of small office/home office (SOHO) routers worldwide, converting them into malicious infrastructure to redirect internet traffic and enable large-scale surveillance. The campaign, linked to APT28 (also known as Forest Blizzard, Fancy Bear, and STRONTIUM), represents a significant escalation in the group's use of compromised consumer-grade networking equipment for geopolitical espionage purposes.


Security researchers first detected the campaign in May 2025, but evidence suggests the infrastructure modifications have been ongoing for months, with the attacker establishing a resilient network of compromised devices across multiple continents. The targeting of ubiquitous MikroTik and TP-Link routers—commonly deployed in small businesses, residential networks, and branch offices—exposes a critical vulnerability in how organizations and individuals secure their perimeter defenses.


## The Threat: How SOHO Routers Became Espionage Tools


APT28 has compromised thousands of MikroTik RouterOS and TP-Link networking devices by exploiting weak default credentials, unpatched vulnerabilities, and exposed management interfaces. Once inside a router's administrative panel, the threat actor modified DNS settings and firewall rules to redirect targeted traffic through attacker-controlled servers.


The campaign operates with surgical precision:


  • DNS Hijacking: Routers were reconfigured to point specific domains (primarily government, defense, and technology sector targets) to malicious IP addresses controlled by APT28
  • Traffic Interception: Legitimate user requests to these domains are intercepted and redirected to fake login pages or information gathering infrastructure
  • Credential Harvesting: Users unknowingly submit credentials to phishing pages hosted on attacker infrastructure
  • Session Hijacking: In some cases, encrypted traffic is intercepted through man-in-the-middle (MITM) techniques using forged SSL certificates

    • The genius of this approach lies in its scale and persistence. Rather than targeting individual computers or compromising centralized services, APT28 weaponized the gateway devices that sit between networks and the internet—devices often overlooked in security audits because they're considered "infrastructure" rather than endpoints.


    ## Background and Context: APT28's Evolution


    APT28 has been operational since at least 2007 and is widely attributed to Russia's GRU (Main Directorate of the General Staff). The group is known for high-profile operations including:


  • The 2016 Democratic National Committee (DNC) breach
  • The NotPetya attack (2017)
  • Attacks on the 2016 and 2020 U.S. presidential campaigns
  • Sustained targeting of NATO and allied defense sectors

    • The group's tactics have consistently evolved to maximize impact while reducing attribution risk. The shift toward weaponizing SOHO routers—devices that are numerous, often overlooked, and globally distributed—represents a new phase in their infrastructure strategy. Rather than maintaining expensive command-and-control (C2) servers in known data centers, APT28 now operates through a distributed botnet of legitimate (albeit compromised) networking devices.


    ### Why SOHO Routers Are Attractive Targets


    Ubiquity and Neglect: Millions of small businesses and remote offices rely on consumer-grade routers with minimal security oversight.


    Default Vulnerabilities: Many SOHO routers are deployed with unchanged default credentials (admin/admin being the most common).


    Unpatched Infrastructure: Unlike computers and phones, routers often go months or years without security updates, leaving known vulnerabilities exploitable.


    Network Position: Routers sit at the network edge, providing a privileged position to monitor and manipulate all traffic flowing in and out of a network.


    Deniability: Compromised routers appear to be legitimate network infrastructure, making attribution difficult and cleanup complicated.


    ## Technical Details: The Exploitation Chain


    ### Initial Compromise


    The primary attack vector involves exposure of router management interfaces to the internet. Shodan and similar databases reveal thousands of accessible MikroTik and TP-Link devices with weak authentication:


  • Default credentials (admin/admin or empty passwords)
  • HTTP access to management interfaces (unencrypted)
  • UPnP-enabled remote access features
  • Known vulnerabilities in RouterOS versions prior to 6.48.3 and 7.x versions before 7.1.5

    • ### Router Modification


    Once authenticated, APT28's operators installed modified DNS configurations and firewall rules:


    [Target Domain A] → [Attacker IP 1]
[Target Domain B] → [Attacker IP 2]
[Target Domain C] → [Attacker IP 3]

    The modifications are persistent, surviving reboots and persisting even when the router firmware is updated—suggesting the attacker modified both the router's running configuration and persistent storage.


    ### Traffic Redirection


    Users attempting to reach legitimate government, defense, and technology sector websites instead receive HTTP 302 redirects or DNS CNAME records pointing to attacker infrastructure hosted on compromised cloud accounts and bulletproof hosting providers.


    ### Credential and Intelligence Collection


    Victims who accessed the phishing infrastructure unknowingly submitted credentials that APT28 used to:

  • Access organizational networks
  • Steal classified or sensitive documents
  • Establish persistent backdoors on government and corporate networks
  • Map network topology and security posture

    • ## Implications: The Scope of Compromise


    ### For Organizations


  • Perimeter Compromise: Any organization using a compromised router for internet connectivity has potentially lost network integrity and confidentiality
  • Supply Chain Risk: Affected organizations may have inadvertently served as stepping stones to higher-value targets
  • Credential Risk: Employees who accessed internal systems through compromised routers may have had their credentials stolen
  • Regulatory Impact: Organizations handling regulated data (healthcare, finance, government) face potential breach notification requirements

    • ### For Individuals


  • Privacy Loss: Home networks using compromised routers had all internet activity monitored and potentially intercepted
  • Identity Theft Risk: Credential harvesting attacks exposed personal banking and email credentials
  • Ransomware Risk: Some compromise chains included installation of ransomware families, though the primary focus was espionage

    • ## Recommendations: Immediate and Long-Term Actions


    ### Immediate Actions (Next 7 Days)


    | Action | Owner | Deadline |

    |--------|-------|----------|

    | Check router exposure on Shodan/Censys | IT Security | Day 1 |

    | Access router admin panel and verify DNS settings | Network Team | Day 2 |

    | Factory reset router if compromise suspected | Network Team | Day 3 |

    | Change default credentials to strong passwords | Network Team | Day 3 |

    | Review router logs for suspicious activity (if available) | Security Operations | Day 5 |

    | Assume credential compromise for users on affected networks | Identity & Access | Day 5 |


    ### Short-Term Actions (30 Days)


  • Firmware Updates: Apply latest security patches from MikroTik and TP-Link immediately
  • Network Segmentation: Isolate compromised routers and re-establish connectivity through clean devices
  • Credential Rotation: Reset all credentials for users who accessed organizational systems through affected networks
  • DNS Monitoring: Implement DNS filtering and monitoring to detect future hijacking attempts
  • Firewall Hardening: Restrict router management interface access to authorized IP addresses only

    • ### Long-Term Strategies


    Defense-in-Depth Networking:

  • Deploy a dedicated security appliance or next-generation firewall in addition to (or in front of) SOHO routers
  • Implement DNS-level filtering and threat intelligence integration
  • Enable DNS over HTTPS (DoH) and DNS over TLS (DoT) to bypass DNS hijacking

    • Zero Trust Architecture:

  • Assume routers and network infrastructure are compromised
  • Implement end-to-end encryption for sensitive traffic
  • Use VPN or proxy services for accessing sensitive resources, even on internal networks

    • Continuous Monitoring:

  • Deploy network detection and response (NDR) solutions to detect suspicious traffic patterns
  • Monitor for outbound connections to known APT28 infrastructure
  • Implement certificate pinning for critical organizational endpoints

    • ---


    This campaign underscores a critical gap in organizational security: the assumption that network infrastructure is less important than endpoint protection. APT28's weaponization of thousands of SOHO routers demonstrates that defenders must expand their security perimeter to include all network-connected devices—no matter how "basic" they appear.


    Organizations should treat router security with the same rigor applied to firewalls and intrusion prevention systems. The cost of remediation from a single compromised router can reach millions of dollars when breach investigation, credential replacement, and regulatory penalties are factored in.