Massive Router Hijack Campaign Linked to Russian GRU Threatens Global Cybersecurity

By

Up to 40,000 routers compromised in coordinated espionage operation

Hackers linked to Russia's military intelligence agency have compromised between 18,000 and 40,000 consumer routers across 120 countries, researchers revealed Tuesday. The devices, mostly MikroTik and TP-Link models, are being used as proxies to steal passwords and authentication tokens from government and corporate targets.

The operation is attributed to APT28, an advanced persistent threat group that operates under the GRU. The group has redirected unsuspecting users to malicious sites that harvest login credentials for Microsoft 365 and other services.

Quote from lead researcher

"This is not a low-level nuisance attack. It's a highly organized, state-sponsored campaign targeting foreign ministries, law enforcement, and defense agencies worldwide," said Mike Smith, lead analyst at Lumen Technologies' Black Lotus Labs. "The scale is alarming—thousands of routers turned into silent spies."

Background

APT28, also known as Pawn Storm, Sofacy, or Sednit, has been active for over two decades. The group is infamous for high-profile breaches against governments, election systems, and critical infrastructure. This latest campaign exploits weak router security—default passwords and outdated firmware—to gain control.

Once compromised, a small number of routers act as proxies to connect to a larger network of government and law enforcement routers. The attackers then alter DNS settings for select websites, redirecting traffic to credential‑harvesting servers. Microsoft confirmed domains for its 365 service were among the targets.

What This Means

For individual users, this hijack poses immediate risks of identity theft and account compromise. Any login performed through an infected router—even on legitimate sites—could be intercepted. Enterprises face data breaches and espionage losses.

Authorities urge immediate action: reset router passwords, update firmware, and disable remote administration. The attack demonstrates that consumer devices remain a weak link in national security. Global cybersecurity agencies are likely to issue advisories in the coming days.

As the investigation unfolds, experts expect more details on the full scope of the operation. Meanwhile, users should treat any suspicious router behavior—slow speeds, unknown devices on the network—as a possible sign of compromise.

Related Articles

• 5 Critical Facts About the Linux Kernel AEAD Socket Security Flaw
• AI-Driven Vulnerability Discovery Accelerates Threat Landscape: Enterprise Defenders Urged to Act Now
• Python Ships Urgent Release Pair: 3.14.2 and 3.13.11 Fix Regressions and Security Flaws
• Active Windows Shell Spoofing Bug Sparks Urgent Patching Debate
• Securing Your Python Pipeline: A Guide to Defending Against Supply Chain Attacks Like the PyTorch Lightning Incident
• Protecting Your ASP.NET Core Applications: Applying the .NET 10.0.7 Out-of-Band Security Patch
• Canonical Under Fire: The DDoS Attack That Disrupted Ubuntu Services
• Ex-NSA Chief Chris Inglis Admits ‘Failure of Enculturation’ Led to Snowden Leaks; Warns CISOs of Insider Threats 13 Years Later