Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
Summary
Russian state-linked APT28 has been actively exploiting vulnerable SOHO routers, specifically MikroTik and TP-Link models, since at least May 2025. The attackers are hijacking DNS settings on these compromised devices, turning them into malicious infrastructure for a cyber espionage campaign.
IFF Assessment
This campaign represents a significant threat as a sophisticated threat actor is compromising widely used network devices to further their espionage objectives.
Defender Context
This campaign highlights the persistent risk posed by unpatched and insecure SOHO routers, which are often overlooked by organizations. Defenders should prioritize patching router firmware, segmenting networks, and monitoring for unusual DNS activity or unauthorized configuration changes to mitigate such threats.