What is DNS hijacking?

DNS hijacking is an attack where an adversary alters a device's Domain Name System (DNS) settings to redirect users to malicious websites. Instead of connecting to a legitimate site (e.g., your bank), your compromised router sends you to a fraudulent copy controlled by the attacker to steal your credentials or install malware.

How can I check if my MikroTik or TP-Link router is compromised?

First, log in to your router's administration panel and check the DNS server settings. If they point to unfamiliar IP addresses instead of your ISP's or a known public DNS service (like 8.8.8.8 or 1.1.1.1), it is a strong indicator of compromise. Also, ensure your firmware is up to date and your admin password is not the default one.

Is rebooting my router enough to fix this problem?

No. While rebooting can clear some types of memory-resident malware, it will not fix a malicious configuration change. In this campaign, APT28 modifies the router's saved settings. To fix it, you must manually log in, update the firmware, change the password, and correct the DNS settings. A factory reset is also an effective, though more drastic, option.

Why is a Russian intelligence agency targeting home and small office routers?

SOHO routers are a strategic target for espionage. They are numerous, often insecure, and provide a way to gain access to a target's network activities. Compromising a home router can reveal personal information, financial data, and potentially provide a pathway into an employee's corporate network. They also serve as a global proxy network to hide the true origin of future attacks.

Russian state-linked APT28 exploits SOHO routers in global DNS hijacking campaign

Introduction

A widespread and persistent cyber espionage campaign has been uncovered, linking one of the world's most notorious state-sponsored threat actors to the compromise of thousands of Small Office/Home Office (SOHO) routers across the globe. Security researchers have attributed the activity to APT28, the group also known as Forest Blizzard and Fancy Bear, which is widely believed to operate on behalf of Russia's military intelligence agency, the GRU.

The operation, which has been active since at least May 2025, involves the systematic exploitation of insecure MikroTik and TP-Link routers. By gaining control of these devices, APT28 is modifying their Domain Name System (DNS) settings to redirect user traffic through attacker-controlled infrastructure. This technique, known as DNS hijacking, effectively turns these common household and small business devices into a distributed network for intelligence gathering and further malicious activities.

Background: A Familiar Playbook

APT28 is a name that commands attention within the intelligence community. Their operational history includes high-profile attacks such as the 2016 breach of the Democratic National Committee (DNC) and numerous espionage campaigns targeting governments, defense contractors, and political organizations worldwide. Their tactics are often aggressive, persistent, and aligned with the strategic interests of the Russian Federation.

The targeting of SOHO routers is not a new strategy for state-sponsored actors, but this campaign highlights its continued effectiveness. These devices represent an ideal target for several reasons. They are ubiquitous, often configured with default or weak credentials, and rarely receive timely firmware updates from their owners. This creates a vast and vulnerable attack surface. Once compromised, a router provides a stealthy foothold into a target's network, allowing an attacker to monitor, intercept, or redirect all traffic passing through it.

This campaign echoes previous operations like the VPNFilter malware in 2018 and the Cyclops Blink botnet in 2022, both of which were attributed to Russian state actors and leveraged compromised network devices. By commandeering a global network of routers, APT28 can effectively mask the origin of its attacks, making attribution difficult while building a resilient infrastructure that is challenging to dismantle.

Technical Details: How the Attack Works

The success of this campaign hinges on a straightforward yet potent methodology. APT28 operators identify and compromise vulnerable SOHO routers, primarily from the MikroTik and TP-Link brands, which are popular among consumers and small businesses.

1. Initial Access: Attackers gain entry by exploiting known vulnerabilities in outdated router firmware or by conducting brute-force attacks against administrative interfaces that use weak or default passwords. Many users fail to change the default "admin/admin" or "admin/password" credentials, providing an open door for automated scanning tools.

2. Gaining Control and Persistence: Once inside, the attackers modify the router's core settings to establish control. The most critical alteration is to the DNS server configuration. A router typically uses the DNS servers provided by an Internet Service Provider (ISP) or a trusted public service. APT28 overwrites these legitimate addresses with IP addresses of DNS servers under their control.

3. DNS Hijacking in Action: The Domain Name System acts as the internet's phonebook, translating human-readable domain names (like www.newsnukem.com) into machine-readable IP addresses. By controlling the DNS server, APT28 can manipulate this translation process. When a user on a compromised network attempts to visit a website, their request is sent to the malicious DNS server. This server can then respond with a fraudulent IP address, redirecting the user's browser to a server controlled by the attackers.

This allows APT28 to execute several malicious objectives:

Credential Harvesting: Users can be redirected to pixel-perfect clones of legitimate websites, such as online banking portals, email providers, or corporate login pages. Unsuspecting victims enter their credentials, which are captured directly by the attackers.
Malware Distribution: The malicious servers can serve malware instead of the expected website content, leading to drive-by downloads that infect the user's computer.
Traffic Interception: For unencrypted traffic, the attackers can perform Man-in-the-Middle (MitM) attacks, passively monitoring communications or actively altering the data being exchanged.

By using the compromised routers as a distributed proxy network, APT28's core command-and-control (C2) infrastructure remains hidden, with malicious traffic appearing to originate from countless legitimate IP addresses around the world.

Impact Assessment: A Global Threat

The global scale of this campaign means its impact is extensive, affecting a wide spectrum of victims from individuals to large corporations.

For individuals and small businesses, the immediate risk is the theft of sensitive personal and financial information. Compromised credentials can lead to financial fraud, identity theft, and unauthorized access to private communications. Small businesses face the additional threat of intellectual property theft and business email compromise.

The implications are particularly severe for remote workers. A compromised home router can serve as a direct gateway into a corporate network. An attacker could leverage this access to move laterally, bypass corporate security controls, and conduct espionage or deploy ransomware within a much larger and more valuable target environment.

From a national security perspective, this campaign provides the GRU with a powerful intelligence-gathering platform. It allows them to conduct widespread surveillance, identify individuals of interest, and establish a global network of pre-positioned assets that can be used for future offensive cyber operations. The difficulty in remediating millions of consumer-grade devices means this malicious infrastructure could persist for years.

How to Protect Yourself

Securing SOHO routers is a shared responsibility, but the primary burden falls on the device owner. Taking the following actionable steps can significantly reduce your risk of compromise.

Immediate Actions

Update Your Router's Firmware: This is the single most important step. Manufacturers release firmware updates to patch security vulnerabilities. Log in to your router's administration panel (usually via an IP address like 192.168.1.1 or 192.168.0.1) and check for the latest firmware version.
Change the Administrator Password: If you are still using the default password, change it immediately to a long, complex, and unique passphrase. Store it in a password manager.
Check Your DNS Settings: In your router's settings, find the DNS configuration. Ensure it is set to obtain DNS servers automatically from your ISP or is manually configured to a trusted public provider like Cloudflare (1.1.1.1) or Google (8.8.8.8). If you see unfamiliar IP addresses, your device may be compromised.
Disable Remote Administration: Unless you have a specific and critical need to manage your router from outside your local network, disable remote (WAN) administration. This feature is a common target for attackers.

Ongoing Security Practices

Enable Automatic Updates: If your router supports it, enable the automatic firmware update feature.
Use Strong Wi-Fi Encryption: Ensure your Wi-Fi network is protected with WPA3 or, at a minimum, WPA2 encryption and a strong password.
Enhance Traffic Security: Using a reputable VPN service encrypts the traffic leaving your devices. This adds a critical layer of protection, as it can prevent attackers from intercepting your data even if they manage to hijack your DNS requests.
Replace Old Equipment: If your router is more than five years old, it may no longer receive security updates from the manufacturer. Consider replacing it with a modern device from a vendor with a strong track record for security.

The weaponization of everyday internet infrastructure by sophisticated actors like APT28 is a persistent threat. This campaign serves as a stark reminder that cybersecurity is not just about protecting computers and servers; it extends to the unassuming network devices that connect us to the digital world. Diligence in securing these devices is essential for personal safety and collective digital security.