Researchers from Lumen Technologies’ Black Lotus Labs reported on Tuesday that a Russian military intelligence group has commandeered thousands of consumer routers worldwide. The operation redirects users to malicious sites designed to capture passwords and credential tokens for espionage purposes.
Between 18,000 and 40,000 routers, primarily from manufacturers MikroTik and TP-Link, have been compromised across 120 countries. These devices were integrated into infrastructure controlled by APT28, an advanced persistent threat group affiliated with Russia’s GRU military intelligence agency.
APT28, also known as Pawn Storm, Sofacy Group, Sednit, Tsar Team, Forest Blizzard, and STRONTIUM, has been active for at least two decades. The group is responsible for numerous high-profile cyberattacks targeting governments globally.
In this campaign, a subset of routers served as proxies to access a larger network of devices belonging to foreign ministries, law enforcement agencies, and other government entities. APT28 aimed to spy on these targets by manipulating DNS settings on the compromised routers.
Microsoft confirmed that domains for its 365 service were among the websites affected by DNS lookup changes. When users visited these sites, their connections were routed through malicious servers before reaching the intended destinations, enabling credential harvesting.
Black Lotus researchers noted that Forest Blizzard, a moniker for APT28, combines advanced tools with established techniques. “Known for blending cutting-edge tools such as the large language model (LLM) ‘LAMEHUG’ with proven, longstanding techniques, Forest Blizzard consistently evolves its tactics to stay ahead of defenders,” they wrote.
The report added, “Their previous and current campaigns highlight both their technological sophistication and their willingness to revisit classic attack methods even after public exposure, underscoring the ongoing risk posed by this actor to organizations worldwide.”
Attackers exploited older router models that had not received patches for known security vulnerabilities. After gaining control, they altered DNS configurations for specific domains and used the Dynamic Host Configuration Protocol to disseminate these changes to connected workstations.
This method allowed the threat group to proxy traffic through compromised routers, facilitating the interception of sensitive data. The operation demonstrates how unpatched consumer hardware can be leveraged for large-scale espionage activities.
