The Russian military is using hacked home and small office routers in a widespread campaign that redirects users to credential-harvesting sites, with an estimated 18,000 to 40,000 devices in 120 countries pulled into the operation, researchers said Tuesday. A technical analysis from Lumen Technologies’ Black Lotus Labs linked the activity to APT28, a Russian military intelligence hacking group.
KEY FACTS
- Targeted devices Mostly MikroTik and TP-Link consumer routers.
- Scale An estimated 18,000 to 40,000 routers were involved.
- Reach The infrastructure spanned 120 countries.
- Goal Traffic was sent to sites that harvested passwords and credential tokens.
The report said the group used a small number of routers as proxies to reach other routers used by foreign ministries, law enforcement and government agencies. Microsoft said the attackers also changed DNS lookups for selected websites, including domains tied to its 365 service.
Researchers said the attackers exploited older router models that had not been patched against known vulnerabilities. They then altered DNS settings for selected domains and used Dynamic Host Configuration Protocol to push those settings to connected workstations.
When devices reached the selected sites, their connections were routed through malicious servers before arriving at the intended destination. Black Lotus researchers said the group combines newer tools such as the LAMEHUG large language model with older techniques that remain effective against unpatched equipment.
WHY IT MATTERS
The campaign shows how routers in homes and small offices can be turned into intelligence-gathering infrastructure and used to intercept credentials from people who trust their network connections. It also shows that basic patching and device hardening remain important defenses against attacks that rely on exposed, older hardware.