Skip to main content
Emerging ThreatsMalware & Ransomware

APT28 Hijacks SOHO Routers in Global DNS Espionage Push

Globe centered on Eastern Europe and Asia with a laptop screen displaying a world map in the foreground.

What happens when the small box under your desk becomes a weapon in a state-linked espionage campaign? Reported by The Hacker News, a Russia-linked threat actor known as APT28 (also called Forest Blizzard) has been tied to a broad operation that turns insecure home and small-office routers into malicious infrastructure.

The core facts: compromised SOHO routers and DNS manipulation

The Hacker News reports that APT28 has exploited insecure MikroTik and TP-Link routers and altered their settings so the devices operate under the actor’s control. The activity has been described as a global DNS hijacking campaign that weaponizes SOHO (small office/home office) routers. According to the report, the large-scale exploitation has been active as part of a cyber espionage campaign since at least May 2025.

What the actor did and why it matters

By modifying router settings, the actor converts otherwise benign devices into malicious infrastructure. The Hacker News account frames this both as manipulation of DNS behavior and as an espionage tool. Those are simple, consequential facts: compromised routers are no longer transparent pipes for users’ traffic but components controlled by an outside party.

Stakeholder perspectives

  • Technologists: The incident underscores risks associated with insecure consumer-grade networking equipment—specifically the models named in the report, MikroTik and TP-Link—and the potential for widespread device compromise to be used as a persistent platform for malicious activity.
  • Policymakers and regulators: A large-scale operation that alters DNS at the edge raises questions about supply-chain and device-security standards, and about responsibilities for securing internet endpoints used in homes and small businesses.
  • Users and small organizations: As reported, owners of insecure routers may find their devices altered without their knowledge and repurposed into malicious infrastructure, exposing them to privacy breaches or service manipulation.
  • Adversaries: For an intelligence-focused actor, converting widely-deployed routers into infrastructure creates a distributed, stealthy foothold that can support a range of espionage objectives.

Looking ahead

The facts reported are stark and narrow: a Russia-linked actor, APT28 (aka Forest Blizzard), has exploited insecure MikroTik and TP-Link SOHO routers, changed their settings to seize control, and used them in a DNS hijacking campaign tied to cyber espionage since at least May 2025. The episode raises a straightforward question for anyone who connects to the internet through a consumer router: if the device meant to carry your traffic can be repurposed at scale, what practical steps will manufacturers, experts, and users take to stop the next campaign?

https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html