Contents

Massive Russian Cyberattack Campaign Targets Popular Home and Office Routers

The FBI, the NSA, and numerous international intelligence agencies have issued a stark warning regarding a widespread cyber espionage campaign orchestrated by the Russian military intelligence service (GRU). Since at least 2024, state-sponsored hackers have been heavily targeting popular home and office routers to intercept Domain Name System (DNS) traffic and steal highly sensitive information.

This sophisticated operation is being driven by the notorious APT28 hacking group, a collective with deep ties to the special services of the Russian Federation. As global geopolitical tensions rise, state-sponsored cyber espionage is becoming increasingly common, echoing other recent incidents where Iran threatens Big Tech and Persian Gulf with cyber attacks.

Who is Behind the Router Cyberattacks?

According to assessments by the UK’s National Cyber Security Centre (NCSC) and global intelligence partners, APT28 is almost certainly a military cyber espionage unit directly subordinate to the Russian GRU (Main Intelligence Directorate of the General Staff of the Armed Forces).

Operating officially as Military Unit 26165, this cyber division functions under the 85th Main Special Service Centre (GTsSS). This classification highlights that their activities are not routine cybercrime driven by financial gain, but rather highly coordinated, politically motivated cyber espionage operations.

APT28 has a long history of high-profile attacks. The group was responsible for the 2015 cyberattacks on the German parliament and an attempted breach of the Organisation for the Prohibition of Chemical Weapons (OPCW) in April 2018. More recently, in 2024, international cybersecurity response teams reported APT28 targeting various government institutions and private citizens globally to gather intelligence.

How the GRU Compromises Popular Routers

The attackers successfully breached vulnerable routers by exploiting known security flaws, including the CVE-2023-50224 vulnerability found in select TP-Link models. Once inside the network, the hackers altered the Dynamic Host Configuration Protocol (DHCP) and DNS configurations. This manipulation ensured that all DNS traffic was forcefully routed through malicious servers controlled by the GRU.

Previously, British intelligence noted that APT28 utilized Virtual Private Servers (VPS) to establish this malicious DNS infrastructure. This setup allowed for two types of attacks:

Passive Monitoring: Silently observing DNS queries to track user browsing habits and network activity.
Active Spoofing: Impersonating legitimate corporate services, such as Outlook Web Access, to trick users into handing over credentials.

Adversary-in-the-Middle Attacks

By controlling the DNS routing, Russian hackers could execute “adversary-in-the-middle” (AitM) attacks on encrypted connections. If a victim ignored browser warnings about invalid SSL/TLS certificates, the attackers could seamlessly intercept login credentials, passwords, authentication tokens, email contents, and other critical data that would normally be securely encrypted.

Who is at Risk?

These cyber threats are strictly global and no longer confined to large corporations, government agencies, universities, or research institutes. The battlefield has expanded to target individual users and small businesses.

The primary victims at risk are remote workers utilizing privately owned Small Office/Home Office (SOHO) routers, as well as small enterprises relying on budget-friendly, rarely updated network equipment. The attackers cast a wide net across these vulnerable devices. By sifting through massive amounts of stolen data, the hackers can extract high-value targets connected to the military, government, and critical infrastructure sectors worldwide.

How to Protect Your Network from Router Hacks

Securing your network is critical to defending against state-sponsored intrusions. The FBI and international cybersecurity authorities recommend taking immediate action to harden your home and office networks. Simple steps, like changing your Bluetooth device names for better home security, are a good start, but protecting against APT28 requires stricter router management.

Replace Unsupported Hardware: Retire and replace any legacy routers that no longer receive official manufacturer support with newer models that offer regular security updates.
Update Firmware Regularly: Always install the latest security patches provided by the manufacturer.
Change Default Credentials: Immediately replace default administrator passwords with strong, unique, and complex passphrases.
Disable Remote Management: Turn off remote management services from the Wide Area Network (WAN) side. This significantly reduces the attack surface for external threat actors.
Do Not Ignore Security Warnings: Never bypass or ignore browser or email client warnings regarding invalid SSL certificates—this is often the first and only sign of an active AitM attack.
Segment Your Network: Implement network segmentation in your home or office. Keep Internet of Things (IoT) devices and guest networks completely separated from workstations that handle sensitive data.

Frequently Asked Questions (FAQ)

How do I know if my router has been compromised by a DNS hijacking attack?

Signs of a DNS hijacking attack include unexpected browser warnings about invalid SSL certificates, being redirected to suspicious or slightly altered websites when typing a legitimate URL, slower than usual internet speeds, and unauthorized changes to your router’s DNS settings in the admin dashboard.

Does rebooting my router remove the APT28 malware?

A simple reboot is usually not enough to remove a sophisticated compromise. While it might temporarily disrupt a memory-based exploit, if the hackers have altered your router’s core configuration (like DNS/DHCP settings) or flashed malicious firmware, you must perform a full factory reset, update the firmware, and change all administrator passwords.

Are only TP-Link routers vulnerable to these Russian cyberattacks?

No. While the CVE-2023-50224 vulnerability in specific TP-Link models was highlighted in recent campaigns, APT28 and similar state-sponsored groups continuously scan the internet for unpatched vulnerabilities across all major router brands, particularly budget-friendly Small Office/Home Office (SOHO) devices.

Source: FBI, CVE, NCSC, Databreaches, Helpnetsecurity, The Hacker News. & Opening photo: Gemini

About Post Author

Sachin Mahto

Sachin is an editor for Techtiper, focusing on software, apps, and services. He writes on virtual private networks, privacy tools, cybersecurity issues, and ethics in tech. Sachin also covers news about Tech Industry. On a separate note, he plays a ton of online chess and is a fan of overly complicated sci-fi movies.

See author's posts

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.