Russian State‑Linked APT28 Hijacks Global SOHO Routers for DNS Redirection Campaign
What Happened – APT28 (aka Forest Blizzard) has been operating a large‑scale campaign since May 2025 that compromises insecure MikroTik and TP‑Link SOHO routers, rewrites their DNS settings, and repurposes them as malicious infrastructure for cyber‑espionage.
Why It Matters for TPRM –
- Compromised routers become a persistent foothold for nation‑state actors, exposing any downstream services that rely on them.
- DNS hijacking can silently redirect traffic, facilitating credential theft, data exfiltration, or supply‑chain manipulation.
- The affected devices are widely deployed across multiple sectors, expanding the attack surface of any organization that sources networking hardware from these vendors.
Who Is Affected – Enterprises and public‑sector entities using MikroTik or TP‑Link SOHO routers, especially those with lax configuration hygiene; vendors that integrate these devices into managed services.
Recommended Actions –
- Inventory all MikroTik and TP‑Link routers in your environment and verify firmware versions.
- Enforce strong, unique admin credentials and disable remote management interfaces.
- Apply vendor‑issued firmware patches; if unavailable, consider replacing vulnerable units.
- Monitor DNS traffic for anomalous resolution patterns and implement DNSSEC where possible.
Technical Notes – The threat leverages default credentials and known firmware vulnerabilities (e.g., CVE‑2024‑XXXXX for MikroTik, CVE‑2024‑YYYYY for TP‑Link) to gain admin access, then modifies DNS resolver entries to point to attacker‑controlled name servers. The compromised routers act as low‑cost, globally distributed DNS proxies, enabling large‑scale traffic redirection without raising immediate alarms. Source: The Hacker News