Russian Military Hacks 18,000-40,000 Consumer Routers Globally
Original: Thousands of consumer routers hacked by Russia's military
Why This Matters
Demonstrates Russia's continued use of consumer IoT devices for large-scale espionage operations targeting government and enterprise credentials.
Russia's APT28 military intelligence group hacked thousands of MikroTik and TP-Link routers across 120 countries to steal credentials and OAuth tokens. The operation exploited unpatched vulnerabilities to redirect DNS lookups and intercept user traffic through malicious servers.
Lumen Technologies' Black Lotus Labs reported that Russian military intelligence group APT28 compromised an estimated 18,000 to 40,000 consumer routers globally, primarily targeting MikroTik and TP-Link devices. The campaign, which began in May 2025 and escalated after August, exploited unpatched vulnerabilities in end-of-life routers to modify DNS settings for select domains including Microsoft 365. When users visited targeted sites, their connections were proxied through malicious servers using self-signed certificates. The attackers captured OAuth tokens and credentials after users completed authentication, unaware their traffic was being intercepted. The operation intensified following a UK security alert in August 2025, with over 290,000 IP addresses observed making DNS requests to malicious infrastructure during a four-week period starting December 12.