Loading...
Loading...
Ryan Gallagher / Bloomberg : The UK says Russia-linked hacking group APT28 is hijacking popular internet routers from MikroTik, TP-Link, and others to steal credentials and redirect traffic — Russian government-linked hackers are compromising popular internet routers to steal passwords for email accounts and other online services …
Researchers at Lumen Technologies’ Black Lotus Labs say Russia’s GRU-linked APT28 has compromised an estimated 18,000–40,000 consumer routers, mainly MikroTik and TP-Link devices across 120 countries, to harvest credentials and enable espionage. The attackers used a small set of hijacked routers as proxies to pivot into a far larger set of targets, manipulating DNS lookups for selected sites — reportedly including Microsoft 365 domains — to capture passwords and tokens. APT28 (aka Pawn Storm/Sofacy/STRONTIUM) leveraged long-standing, technically adept tradecraft to blend router compromise with targeted interception of government and law-enforcement traffic. The operation underscores persistent supply-chain and perimeter weaknesses in consumer networking gear and the risks of unmanaged devices for enterprise and national security.
Security firms and Microsoft say a Russia-linked APT28 group dubbed Forest Blizzard hijacked DNS settings on more than 18,000 mostly end-of-life SOHO routers to siphon Microsoft Office OAuth authentication tokens. Lumen’s Black Lotus Labs and Microsoft found the GRU-backed attackers exploited known Mikrotik and TP-Link flaws to point victims to attacker-controlled DNS servers, enabling post-compromise adversary-in-the-middle interception of TLS sessions and OAuth tokens—bypassing credentials and MFA without installing malware. Targets included government ministries, law enforcement and third-party email providers, and Microsoft reported over 200 affected organizations and 5,000 consumer devices. The campaign highlights risks of unpatched edge devices and DNS hijacking as a low-tech but high-impact avenue for account takeover.
The UK National Cyber Security Centre warned that Russia-linked APT28 (Fancy Bear/Forest Blizzard) continues to exploit vulnerabilities in SOHO and enterprise routers to change DNS settings, redirecting users to attacker-controlled clone sites to harvest credentials. Microsoft corroborated the activity, saying over 200 organizations and about 5,000 consumer devices have been impacted; affected vendors named include TP-Link, MikroTik and previously Cisco. The NCSC says the campaign, monitored since 2021, appears opportunistic and can also enable downstream compromise of laptops and phones, provide footholds for follow-on malware or DDoS operations, and yield intelligence value especially in Ukraine. Authorities urged operators to apply mitigations and follow published guidance to protect network devices.
Ryan Gallagher / Bloomberg : The UK says Russia-linked hacking group APT28 is hijacking popular internet routers from MikroTik, TP-Link, and others to steal credentials and redirect traffic — Russian government-linked hackers are compromising popular internet routers to steal passwords for email accounts and other online services …