The Russian military, through the GRU's advanced threat group APT28, is actively hacking thousands of consumer routers worldwide. Researchers from Lumen Technologies' Black Lotus Labs report that an estimated 18,000 to 40,000 routers, primarily MikroTik and TP-Link models across 120 countries, have been compromised.
These routers are being integrated into APT28's infrastructure to serve as proxies for espionage campaigns. The group targets foreign ministries, law enforcement, and government agencies, manipulating DNS lookups for critical websites, including Microsoft 365 domains.
APT28, also known as Forest Blizzard, blends sophisticated tools like the LLM 'LAMEHUG' with classic attack methods. The group exploits unpatched vulnerabilities in older router models to alter DNS settings, redirecting traffic through malicious servers. This tactic allows them to intercept passwords and credential tokens for intelligence gathering.