Massive Router Hijack Campaign Linked to Russian GRU Threatens Global Cybersecurity

By

Up to 40,000 routers compromised in coordinated espionage operation

Hackers linked to Russia's military intelligence agency have compromised between 18,000 and 40,000 consumer routers across 120 countries, researchers revealed Tuesday. The devices, mostly MikroTik and TP-Link models, are being used as proxies to steal passwords and authentication tokens from government and corporate targets.

The operation is attributed to APT28, an advanced persistent threat group that operates under the GRU. The group has redirected unsuspecting users to malicious sites that harvest login credentials for Microsoft 365 and other services.

Quote from lead researcher

"This is not a low-level nuisance attack. It's a highly organized, state-sponsored campaign targeting foreign ministries, law enforcement, and defense agencies worldwide," said Mike Smith, lead analyst at Lumen Technologies' Black Lotus Labs. "The scale is alarming—thousands of routers turned into silent spies."

Background

APT28, also known as Pawn Storm, Sofacy, or Sednit, has been active for over two decades. The group is infamous for high-profile breaches against governments, election systems, and critical infrastructure. This latest campaign exploits weak router security—default passwords and outdated firmware—to gain control.

Once compromised, a small number of routers act as proxies to connect to a larger network of government and law enforcement routers. The attackers then alter DNS settings for select websites, redirecting traffic to credential‑harvesting servers. Microsoft confirmed domains for its 365 service were among the targets.

What This Means

For individual users, this hijack poses immediate risks of identity theft and account compromise. Any login performed through an infected router—even on legitimate sites—could be intercepted. Enterprises face data breaches and espionage losses.

Authorities urge immediate action: reset router passwords, update firmware, and disable remote administration. The attack demonstrates that consumer devices remain a weak link in national security. Global cybersecurity agencies are likely to issue advisories in the coming days.

As the investigation unfolds, experts expect more details on the full scope of the operation. Meanwhile, users should treat any suspicious router behavior—slow speeds, unknown devices on the network—as a possible sign of compromise.

Related Articles

• How SentinelOne Stopped Three Zero-Day Supply Chain Attacks in One Day — Without Knowing the Payload
• Lessons from the Snowden Leaks: A CISO's Guide to Insider Threat Detection and Organizational Culture
• Supply Chain Compromises in 2026: Lessons from the KICS and Trivy Incidents
• Understanding and Mitigating CVE-2026-0300: A PAN-OS Captive Portal Buffer Overflow Guide
• Water Treatment Plants Under Cyberattack: Polish Agency Reveals ICS Breach Details
• How AI Uncovered Hidden Flaws: Inside Microsoft and Palo Alto Networks' Vulnerability Hunts
• Compromised GitHub Actions Tag: A New Vector for CI/CD Credential Theft
• From News to Action: A Cybersecurity Tutorial on Recent Threats and Best Practices