Ethical Hacking News
APT28 has been found to be hijacking thousands of consumer routers in 120 countries, targeting unsuspecting users with espionage campaigns. The attackers exploited vulnerabilities in older router models to gain control over these devices and intercept sensitive information. To avoid falling victim to this attack, it is crucial to stay informed about the latest security threats and take necessary precautions such as replacing end-of-life routers and being cautious when encountering browser warnings.
Apt28, an advanced threat group affiliated with Russia's GRU, hijacked thousands of consumer routers in 120 countries to intercept sensitive information. The attack targeted mostly older router models with known security vulnerabilities. The attackers exploited vulnerabilities to gain control over the routers and collect authentication credentials such as OAuth tokens. Apt28 set up a proxy service that operated as an "adversary-in-the-middle" server, capturing and exfiltrating sensitive information. Users are advised to review their DNS settings, replace end-of-life routers with secure ones, and never click through browser warnings about untrusted TLS certificates.
In a latest move, APT28, an advanced threat group affiliated with Russia's military intelligence agency known as the GRU, has been observed hijacking thousands of consumer routers in 120 countries to intercept sensitive information from unsuspecting users. The attack, which began in May 2025 and continued through December 2025, targeted mostly older router models that had not been patched against known security vulnerabilities.
The attackers exploited these vulnerabilities to gain control over the routers, allowing them to change DNS settings for select domains and propagate the changes to workstations connected to the same network via Dynamic Host Configuration Protocol (DHCP). This setup enabled the attackers to intercept traffic destined for specific websites, including those used by Microsoft Office, and collect authentication credentials such as OAuth tokens.
To achieve these goals, APT28 set up a proxy service that operated as an "adversary-in-the-middle" server. These servers used self-signed certificates, which are often ignored or clicked through by unsuspecting users due to warnings displayed in their browsers. Once the attackers captured the traffic, they could access and exfiltrate sensitive information such as authentication tokens and login credentials.
The methodology employed by APT28 was not entirely novel, but its sophistication and scope were significant. According to researchers from Lumen Technologies' Black Lotus Labs, the threat group consistently evolves its tactics to stay ahead of defenders. This is evident in their use of cutting-edge tools such as large language models alongside tried-and-true techniques.
The operation began on a limited number of devices but rapidly expanded to include hundreds of thousands of distinct IP addresses sending DNS requests to the malicious APT28 DNS resolver over a four-week period. This sudden shift in tactics suggests that once one capability was disclosed, the group immediately shifted to another to continue acquiring authentication material.
To avoid falling victim to this attack, users are advised to review their current DNS settings to see if they list unrecognized servers and check event logs for any unauthorized changes. It is also recommended that people consider replacing end-of-life routers with ones that receive regular security updates, as older models were primarily targeted by the attackers.
Furthermore, it is essential never to click through browser warnings about untrusted TLS certificates, as these servers capture all traffic passing through them and can use this information for malicious purposes. The incident serves as a stark reminder of the ongoing threat posed by APT28 and other advanced persistent threats (APTs) worldwide.
Related Information:
https://www.ethicalhackingnews.com/articles/APT28s-Latest-Operation-Hijacking-Home-and-Small-Office-Routers-for-Espionage-ehn.shtml
https://arstechnica.com/security/2026/04/russias-military-hacks-thousands-of-consumer-routers-to-steal-credentials/
https://ccstartup.com/blog/2026/04/08/thousands-of-consumer-routers-hacked-by-russias-military/
https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps
https://attack.mitre.org/groups/G0007/
Published: Wed Apr 8 08:54:13 2026 by llama3.2 3B Q4_K_M
