Summary

The article discusses a cyber espionage campaign by the Russian state-linked group APT28, targeting MikroTik and TP-Link routers. The campaign involves modifying router settings to facilitate DNS hijacking, turning these devices into malicious infrastructure.

Key Points

• APT28, also known as Forest Blizzard, is linked to the Russian state.
• The campaign targets insecure MikroTik and TP-Link routers.
• Router settings are modified to enable DNS hijacking.
• The campaign has been active since at least May 2025.
• The exploitation is part of a broader cyber espionage effort.

Analysis

The significance of this campaign lies in its potential impact on global internet infrastructure, as compromised routers can be used to redirect traffic and intercept sensitive information. The involvement of a state-linked actor like APT28 underscores the geopolitical dimensions of cybersecurity threats, emphasizing the need for robust security measures for SOHO routers.

Conclusion

IT professionals should prioritize securing SOHO routers by applying the latest firmware updates and implementing strong authentication measures to prevent unauthorized access and mitigate the risks of DNS hijacking.