Russian state-sponsored threat actor APT28 has been exploiting vulnerabilities in small office/home office (SOHO) routers, specifically MikroTik and TP-Link models, since at least May 2025, as part of a global DNS hijacking campaign. The attackers have been modifying the router settings to repurpose them as malicious infrastructure, enabling cyber espionage activities. This campaign highlights the shift in threat models from traditional criminal activity to state-aligned operations, which require a distinct approach to mitigation. The exploitation of SOHO routers underscores the importance of securing often-overlooked network devices, particularly in the face of sophisticated nation-state threats. The involvement of APT28, also known as Forest Blizzard, suggests a high level of sophistication and resources behind the campaign1. This matters to security practitioners because state-sponsored attacks like these demand a unique set of countermeasures, given their geopolitical motivations and potential for widespread disruption.
Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
⚡ High Priority
Why This Matters
State-aligned activity involving APT28 shifts the threat model from criminal to geopolitical — different playbook required.
References
- The Hacker News. (2026, April 7). Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign. *The Hacker News*. https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html
Original Source
The Hacker News
Read original →