this post was submitted on 08 Apr 2026
21 points (83.9% liked)

Technology

83600 readers
3073 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
21
Thousands of consumer routers hacked by Russia’s military (arstechnica.com)
submitted 1 hour ago by tharien@lemmy.world to c/technology@lemmy.world
5 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.world/post/45350334

#Thousands of consumer routers hacked by Russia’s military

##End-of-life routers in homes and small offices hacked in 120 countries.

The Russian military is once again hacking home and small office routers in widespread operations that send unwitting users to sites that harvest passwords and credential tokens for use in espionage campaigns, researchers said Tuesday.

An estimated 18,000 to 40,000 consumer routers, mostly those made by MikroTik and TP-Link, located in 120 countries, were wrangled into infrastructure belonging to APT28, an advanced threat group that’s part of Russia’s military intelligence agency known as the GRU, researchers from Lumen Technologies’ Black Lotus Labs said. The threat group has operated for at least two decades and is behind dozens of high-profile hacks targeting governments worldwide. APT28 is also tracked under names including Pawn Storm, Sofacy Group, Sednit, Tsar Team, Forest Blizzard, and STRONTIUM.

###Technical sophistication, tried-and-true techniques

A small number of routers were used as proxies to connect to a much larger number of other routers belonging to foreign ministries, law enforcement, and government agencies that APT28 wanted to spy on. The group then used its control of routers to change DNS lookups for select websites, including, Microsoft said, domains for the company’s 365 service.

“Known for blending cutting-edge tools such as the large language model (LLM) ‘LAMEHUG’ with proven, longstanding techniques, Forest Blizzard consistently evolves its tactics to stay ahead of defenders,” Black Lotus researchers wrote. “Their previous and current campaigns highlight both their technological sophistication and their willingness to revisit classic attack methods even after public exposure, underscoring the ongoing risk posed by this actor to organizations worldwide.”

To hijack the routers, the attackers exploited older models that hadn’t been patched against known security vulnerabilities. They then changed DNS settings for select domains and used the Dynamic Host Configuration Protocol to propagate them to router-connected workstations. When connected devices visited the selected domains, their connections were proxied through malicious servers before reaching their intended destination.

These adversary-in-the-middle servers used self-signed certificates. When the end user clicked through browser warnings, the servers captured all traffic passing through them. Among other things, they collected OAuth tokens and other credentials set after users, unaware their connections were being tapped, completed multifactor authentication.

The operation began in May 2025 on a limited number of devices. Then, in August, Britain’s National Cyber Security Center released an alert that documented a malware campaign a threat group was using to “intercept and exfiltrate Microsoft Office account credentials and tokens.” The following day, the threat group rapidly stepped up the router hijacking, an activity it continued to ramp up in the coming months.

Over a four-week period starting on December 12, Black Lotus observed more than 290,000 distinct IP addresses sending at least one DNS request to the malicious APT28 DNS resolver. “This suggested that as one capability was disclosed, the actor immediately shifted to another to continue acquiring authentication material,” company researchers wrote.

Black Lotus described the methodology this way:

  1. DNS changes were then propagated to the workstations on the adjacent LAN via Dynamic Host Configuration Protocol (DHCP).
  2. The actor operated a DNS server to behave like a typical recursive resolver, but when a targeted Fully Qualified Domain Name (FQDN) was queried, it was configured to provide a record back containing its own IP address instead of the correct address. The only interventions were triggered by domains associated with authentication-related services. If any other domain was requested, traffic passed directly through.
  3. The actor ran a proxy service as the AitM that the end user was directed to via DNS. The only sign of this attack would be a pop-up warning about connecting to an untrusted source because of the “break and inspect.”
  4. If warnings were present and ignored or clicked through, the actor proxied requests to the legitimate services, collecting the data at the midpoint and collecting data associated with the targeted account by passing the valid OAuth token. This allowed the actor to break and inspect traffic and access authentication material such as Oauth tokens after completing the multifactor challenge.

APT28 has a history of hacking routers. In 2018, researchers discovered 500,000 of the devices, mostly located in the US, were infected with malware tracked as VPNFilter. In 2024, the US Justice Department caught the group doing it again.

The easiest way for people to know if their router has been compromised in the operation is to review the current DNS settings to see if they list unrecognized servers. Users should also check event logs for any unrecognized changes to DNS server settings. People should also strongly consider replacing end-of-life routers with ones that receive regular security updates. People should never click through browser alerts warning of untrusted TLS certificates.

Dan Goodin Senior Security Editor

top 5 comments
sorted by: hot top controversial new old
[–] IratePirate@feddit.org 1 points 3 minutes ago

When connected devices visited the selected domains, their connections were proxied through malicious servers before reaching their intended destination.
These adversary-in-the-middle servers used self-signed certificates. When the end user clicked through browser warnings, the servers captured all traffic passing through them.

🙈🙈🙈

We really, really, really need to teach people to read error messages, particularly certificate warnings, and not click "accept" at the drop of a hat.

[–] Sims@lemmy.ml -2 points 1 hour ago (3 children)

A lot of propaganda there. US/Western 'intelligence' and corporate partners are guilty of warmongering, lying to their populations and war-crimes.

[–] Brewchin@lemmy.world 1 points 5 minutes ago

That's whataboutery, no? "X did a bad thing." "What about Y doing the same/similar things?"

Both can be true at the same time. Whataboutery only serves to distract from the original point.

[–] Willoughby@piefed.world 1 points 23 minutes ago

Everyone sucks, build your own router or depend on the enshitty options at your local ScamN'Shop.

what about the average consumer?

He's fucked.

[–] HowRu68@lemmy.world 2 points 1 hour ago* (last edited 1 hour ago)

I don't think it's propaganda, Ruzzians can hack too.