Researchers from Lumen Technologies’ Black Lotus Labs disclosed on Tuesday that APT28, an advanced persistent threat group associated with Russia’s military intelligence agency, the GRU, has orchestrated a large-scale campaign compromising consumer routers. This operation involves redirecting unwitting users to malicious sites designed to harvest passwords and credential tokens for espionage purposes.
Between 18,000 and 40,000 routers, primarily manufactured by MikroTik and TP-Link, have been co-opted across 120 countries. These devices were integrated into infrastructure controlled by APT28, a group with a documented history spanning at least two decades and involvement in numerous high-profile government-targeted hacks globally.
APT28 is also monitored under aliases such as Pawn Storm, Sofacy Group, Sednit, Tsar Team, Forest Blizzard, and STRONTIUM. In this campaign, the group employed a subset of routers as proxies to establish connections with a broader network of routers belonging to foreign ministries, law enforcement agencies, and other governmental entities under surveillance.
By manipulating DNS settings on compromised routers, APT28 altered lookups for specific websites, including domains associated with Microsoft’s 365 service, as confirmed by Microsoft. This redirection enabled the group to intercept and proxy traffic through malicious servers before it reached legitimate destinations, facilitating credential theft.
Black Lotus Labs researchers noted that Forest Blizzard, a tracking name for APT28, demonstrates a blend of advanced tools and established techniques. They highlighted the group’s use of the large language model ‘LAMEHUG’ alongside traditional methods, emphasizing its adaptability and persistence in evading defensive measures despite public exposure of past campaigns.
The attack leveraged older router models that remained unpatched against known security vulnerabilities. After gaining control, attackers modified DNS configurations for targeted domains and utilized the Dynamic Host Configuration Protocol to disseminate these changes to connected workstations, ensuring widespread impact across networks.
This incident underscores the ongoing global risk posed by APT28, with researchers warning that the group’s technological sophistication and reliance on proven attack vectors continue to threaten organizations worldwide, reinforcing the need for robust security updates and monitoring.
