Russia's GRU APT28 Hacks 18,000+ Consumer Routers, Redirects Traffic for Espionage

Russia's military intelligence unit, APT28, has commandeered tens of thousands of consumer routers worldwide, weaponizing them to redirect unsuspecting users to credential-harvesting sites. Researchers from Lumen Technologies' Black Lotus Labs report that between 18,000 and 40,000 routers, primarily from MikroTik and TP-Link, have been compromised across 120 countries. This infrastructure is now part of a widespread espionage campaign, funneling traffic to servers controlled by the GRU-linked threat group.

The operation leverages a blend of technical sophistication and established techniques. A small number of compromised routers act as proxies, connecting to a much larger network of devices, including those belonging to foreign ministries. This method allows APT28—also tracked as Pawn Storm, Sofacy Group, and Forest Blizzard—to obscure its activities and target high-value entities. The group, with a two-decade history of high-profile government hacks, is using these hijacked home and small office devices as a foundational layer for its intelligence-gathering operations.

The scale and geographic spread of this router compromise signal a persistent, low-cost strategy by Russian military intelligence to build global surveillance and attack infrastructure. By exploiting common consumer hardware, APT28 creates a resilient and deniable network that poses a direct threat to both individual privacy and the security of governmental and diplomatic communications. This campaign underscores the ongoing risk posed by unsecured internet-of-things devices being co-opted for state-level espionage.