The Russian military is once again hacking home and small office routers in widespread campaigns that send unwitting users to sites that harvest passwords and credential tokens for use in espionage campaigns, researchers said Tuesday.
An estimated 18,000 to 40,000 consumer routers, most of them made by MikroTik and TP-Link, based in 120 countries, were implicated in infrastructure belonging to APT28, an advanced threat group that is part of Russia’s military intelligence agency known as the GRU, researchers at Lumen Technologies’ Black Lotus Labs said. The threat group has been operating for at least two decades and is behind dozens of high-profile hacks targeting governments around the world. APT28 is also tracked under names like Pawn Storm, Sofacy Group, Sednit, Czar Team, Forest Blizzard, and Strontium.
Technological sophistication, tried and true techniques
A small number of routers were used as proxies to connect to a large number of other routers belonging to foreign ministries, law enforcement, and government agencies that APT28 wanted to spy on. The group then used its control of the router to alter DNS lookups for select websites, which, Microsoft said, included domains for the company’s 365 service.
“Known for blending cutting-edge tools like the large language model (LLM) ‘lamhg’ with proven, long-term techniques, Forest Blizzard constantly evolves its strategy to stay ahead of defenders,” Black Lotus researchers wrote. “His past and present campaigns highlight both his technical sophistication and his willingness to revisit classic attack methods even after public exposure, underscoring the ongoing risk this actor poses to organizations around the world.”
To hijack routers, attackers took advantage of older models that were not patched against known security vulnerabilities. They then changed the DNS settings for selected domains and used the Dynamic Host Configuration Protocol to propagate them to router-connected workstations. When connected devices visited the selected domain, their connections were proxyed through the malicious server before reaching their intended destination.
<a href