Russian military intelligence has compromised tens of thousands of home and little-office routers globally, turning everyday networking hardware into a vast espionage network designed to steal passwords and sensitive credentials. The operation, attributed to the advanced threat group APT28, targets the very devices that manage internet traffic for unwitting users in over 100 countries.
Researchers from Lumen Technologies’ Black Lotus Labs report that between 18,000 and 40,000 consumer routers have been wrangled into the group’s infrastructure. By exploiting unpatched vulnerabilities in older hardware, the attackers have created a proxy network that allows them to mask their origins even as targeting high-value government and diplomatic entities.
The scale of the breach is particularly concerning because it leverages “SOHO” (small office/home office) devices, which often lack the robust security monitoring found in corporate environments. This allows the Russian military to maintain a persistent presence on the global internet, using civilian hardware as a shield for state-sponsored cyber espionage.
The Mechanics of the Router Hijack
The attack begins by targeting older router models—predominantly those manufactured by MikroTik and TP-Link—that have not been updated with the latest security patches. Once the attackers gain access, they manipulate the Domain Name System (DNS) settings. DNS is essentially the phonebook of the internet, translating human-readable URLs like “microsoft.com” into the IP addresses that computers use to communicate.
By altering these lookups, APT28 can redirect users to malicious servers. In a sophisticated “adversary-in-the-middle” attack, the router sends the user to a fake site that looks identical to the real one. When the user enters their credentials, the attackers harvest the passwords and session tokens in real-time before forwarding the user to the actual destination to avoid suspicion.
According to Microsoft, these hijacked routers were specifically used to target domains associated with the company’s 365 service, aiming to compromise corporate and government email accounts.
The Role of DHCP in Propagation
To ensure the attack reached the devices connected to the router, the group utilized the Dynamic Host Configuration Protocol (DHCP). This is the standard method routers use to assign IP addresses and network settings to laptops, smartphones, and tablets. By pushing the malicious DNS settings through DHCP, the attackers ensured that every device on the infected network was automatically routed through their proxy servers without the user ever changing a setting on their individual computer.

Who is APT28?
The group responsible, APT28, is a well-documented arm of the GRU, Russia’s military intelligence agency. For over two decades, the group has been a primary actor in global cyber warfare, known for high-profile intrusions into government ministries and political organizations. Because of its longevity and variety of targets, the group is tracked under a dizzying array of aliases by different security firms.
| Tracking Name | Context/Origin |
|---|---|
| Forest Blizzard | Lumen/Black Lotus Labs |
| STRONTIUM | Microsoft |
| Fancy Bear | Common industry term |
| Pawn Storm / Sofacy | Early security research |
| Sednit / Tsar Team | European intelligence tracking |
Black Lotus researchers noted a troubling evolution in the group’s toolkit. While they continue to use “classic” attack methods, they are now integrating cutting-edge technology. Specifically, the group has been observed using a large language model (LLM) dubbed “LAMEHUG” to enhance their operations, blending AI-driven sophistication with the tried-and-true method of exploiting neglected hardware.
Impact and Global Reach
The operation spanned 120 countries, demonstrating that no single region is immune to these campaigns. The strategic goal appears to be twofold: first, to gather intelligence on foreign ministries and law enforcement agencies, and second, to build a resilient, distributed infrastructure that is difficult for defenders to shut down.
When a government agency is targeted, the attackers don’t connect directly from a Russian IP address, which would be immediately flagged. Instead, they route the attack through a chain of these thousands of hacked consumer routers. To the target, the attack looks like It’s coming from a home in a neutral country, effectively laundering the traffic.
What this means for the average user
For the majority of the 18,000 to 40,000 affected users, the router is not the final target, but a tool. Whereas, the risk remains severe. If a user’s router is compromised, any unencrypted traffic passing through that device can potentially be intercepted. The primary “victim” in this scenario is the integrity of the user’s connection and the security of the credentials they enter into websites that the attackers have targeted.
How to Protect Your Network
The persistence of these attacks highlights a critical gap in consumer electronics: the “set it and forget it” mentality. Many users install a router and never check for firmware updates, leaving devices open to vulnerabilities that have been known to the public for years.
- Update Firmware: Regularly check the manufacturer’s website for the latest security patches. If a router is so classic that the manufacturer no longer provides updates, it should be replaced.
- Change Default Credentials: Never leave the default admin password on a router. This is the first thing automated scripts check when searching for vulnerable devices.
- Disable Remote Management: Unless absolutely necessary, disable the ability to manage the router from the wide-area network (WAN), which closes a common entry point for attackers.
- Use Multi-Factor Authentication (MFA): Since the goal of these hacks is to harvest passwords, MFA provides a critical second layer of defense that can prevent an attacker from using a stolen password.
As APT28 continues to evolve, the focus for cybersecurity professionals has shifted toward “zero trust” architectures, where no single device—including the home router—is implicitly trusted to handle traffic securely. The next phase of defense will likely involve more aggressive automated patching and the adoption of encrypted DNS (DNS-over-HTTPS) to prevent the kind of hijacking seen in this campaign.
Security researchers and government agencies continue to monitor the activity of Forest Blizzard, with further technical indicators and “Indicators of Compromise” (IoCs) expected to be released as more of the infrastructure is mapped and neutralized.
Do you have experience with network security or have you noticed unusual activity on your home network? Share your thoughts and experiences in the comments below.
