Digital Event Horizon
Russia's military intelligence agency has launched a new cyber operation targeting home and small office routers in 120 countries. The APT28 group, known for its technological sophistication, exploited older router models to gain control over these devices, allowing it to intercept sensitive information from unsuspecting users. Read the full story to learn more about this disturbing development and how individuals can protect themselves against similar attacks.
Russia's military intelligence agency, APT28 (Forest Blizzard), hijacked thousands of home and small office routers in 120 countries. The attackers exploited older models of consumer routers with known security vulnerabilities to gain control. The operation used Dynamic Host Configuration Protocol (DHCP) to intercept and exfiltrate sensitive information from unsuspecting users. The attackers captured OAuth tokens and other credentials set after users completed multifactor authentication by using self-signed certificates on malicious servers. APT28's tactics are ongoing and evolving, highlighting the need for users to review DNS settings and replace end-of-life routers with secure ones.
In a disturbing development, researchers have uncovered a sophisticated cyber operation by Russia's military intelligence agency, APT28 (also known as Forest Blizzard), which involved hijacking thousands of home and small office routers in 120 countries. The malicious actors exploited older models of consumer routers that had not been patched against known security vulnerabilities to gain control over these devices.
Once compromised, the attackers used the Dynamic Host Configuration Protocol (DHCP) to propagate changes to the DNS settings on router-connected workstations, allowing them to intercept and exfiltrate sensitive information from unsuspecting users. The operation began in May 2025, with the threat group rapidly escalating their activities in August 2025, after Britain's National Cyber Security Center released an alert about a malware campaign targeting Microsoft Office account credentials and tokens.
The attackers used self-signed certificates on malicious servers that proxied traffic through before reaching its intended destination. When users clicked through browser warnings, the servers captured all traffic passing through them, including OAuth tokens and other credentials set after users completed multifactor authentication.
Researchers from Lumen Technologies' Black Lotus Labs observed over 290,000 distinct IP addresses sending at least one DNS request to the malicious APT28 DNS resolver during a four-week period starting on December 12. The group's methodology involved using cutting-edge tools such as large language models (LLMs) alongside tried-and-true techniques.
The threat posed by APT28 is ongoing, with the group consistently evolving its tactics to stay ahead of defenders. The operation highlights the need for users to review their current DNS settings and check event logs for any unrecognized changes to DNS server settings. It also emphasizes the importance of replacing end-of-life routers with ones that receive regular security updates.
The recent discovery of APT28's latest cyber operation serves as a stark reminder of the ongoing threat landscape and the need for individuals and organizations to remain vigilant in protecting themselves against sophisticated cyber attacks.
Related Information:
https://www.digitaleventhorizon.com/articles/Russias-Latest-Cyber-Operation-Hijacking-Home-Routers-to-Spy-on-Targets-deh.shtml
https://arstechnica.com/security/2026/04/russias-military-hacks-thousands-of-consumer-routers-to-steal-credentials/
https://techcrunch.com/2026/04/07/russian-government-hackers-broke-into-thousands-of-home-routers-to-steal-passwords/
Published: Wed Apr 8 08:09:32 2026 by llama3.2 3B Q4_K_M
