APT28 Exploits MikroTik & TP-Link Routers in DNS Hijacking

Russian State-Linked APT28 Leverages SOHO Routers for Global DNS Hijacking

The Russia-linked advanced persistent threat (APT) actor known as APT28, also tracked as Forest Blizzard, has initiated a widespread campaign targeting insecure Small Office/Home Office (SOHO) routers. Since at least May 2025, this sophisticated group has been exploiting vulnerabilities in MikroTik and TP-Link routers to establish malicious infrastructure for cyber espionage, primarily through DNS hijacking. This campaign represents a significant threat to organizational security, as compromised routers can serve as persistent footholds and redirect traffic, potentially leading to data exfiltration or further network compromise.

According to The Hacker News, the operation involves modifying router settings to turn legitimate devices into controlled assets, highlighting a persistent focus by state-sponsored actors on less-secured edge infrastructure. Understanding and mitigating these sophisticated TTPs is paramount for defenders.

Technical Analysis: The APT28 Campaign

Targeted Devices and Exploitation Vector

APT28’s campaign specifically targets MikroTik and TP-Link SOHO routers, which are prevalent in smaller businesses and home offices due to their cost-effectiveness and ease of deployment. The source indicates the exploitation focuses on “insecure” routers, implying that the initial access likely leverages known vulnerabilities, default credentials, or weak configurations. While the specific CVEs exploited are not detailed in the available information, the success of such a large-scale operation suggests the use of readily available exploits for unpatched systems or brute-force attacks against weak authentication mechanisms. Once compromised, these routers are configured to act as command-and-control (C2) infrastructure or to facilitate further attacks.

DNS Hijacking Mechanisms and Objectives

The primary objective of this campaign is DNS hijacking. By altering the DNS settings on compromised routers, APT28 can redirect network traffic from legitimate destinations to attacker-controlled servers. This allows the threat actor to intercept communications, serve malicious content, or phish credentials without the victim’s knowledge. The deployment of this technique as part of a cyber espionage campaign suggests an intent to gather sensitive information from targeted organizations or individuals. The persistent nature of DNS hijacking makes it a potent tool for long-term intelligence gathering, bypassing many traditional network security controls.

TTPs and Indicators of Compromise

APT28’s operational methods in this campaign align with its established reputation for stealth and persistence. Organizations should be vigilant for the following indicators:

• Unexpected DNS Server Changes: Unauthorized alterations to DNS server configurations on MikroTik or TP-Link routers.
• Outbound Connections to Suspicious IPs: Routers initiating connections to known APT28 infrastructure or unusual IP addresses.
• Unusual Traffic Patterns: Increases in encrypted traffic or traffic directed to unusual ports from SOHO devices.
• Router Configuration Drift: Unexplained changes in router firmware, rules, or user accounts.

Security teams should focus on how to detect APT28 SOHO router compromise by establishing baselines for device configurations and monitoring for deviations.

Recommendations and Mitigation Strategies

Addressing this threat requires immediate action, focusing on both proactive security measures and reactive incident response capabilities.

Securing SOHO Routers to Prevent DNS Hijacking

To effectively prevent MikroTik TP-Link DNS hijacking mitigation, organizations must prioritize the following:

• Patch and Update Regularly: Ensure all SOHO routers run the latest firmware to address known vulnerabilities. This is the single most critical step.
• Strong, Unique Passwords: Replace all default administrative credentials with complex, unique passwords. Enable two-factor authentication if available.
• Disable Unused Services: Turn off remote management interfaces and other services not essential for operations.
• Network Segmentation: Isolate SOHO devices on a separate network segment to limit potential lateral movement if compromised.
• DNS over HTTPS/TLS (DoH/DoT): Where supported, implement DoH/DoT to encrypt DNS queries, making hijacking more difficult.
• Verify DNS Settings: Regularly check router DNS configurations to ensure they point to trusted, legitimate DNS resolvers.
• Review Logs: Implement centralized logging for router activity and regularly review logs for suspicious changes or access attempts.

Monitoring for Suspicious Activity

For enhanced defense against cyber espionage SOHO router TTPs, continuous monitoring is essential:

• SIEM Integration: Ingest router logs into a Security Information and Event Management (SIEM) system for centralized analysis and alert generation.
• EDR for Connected Endpoints: Deploy Endpoint Detection and Response (EDR) solutions on devices connected to SOHO networks to detect anomalies that might signal a router compromise, such as unexpected redirects or certificate warnings.
• Threat Intelligence Feeds: Integrate APT28 specific IoCs into monitoring systems to identify potential communication with known malicious infrastructure.
• Zero Trust Principles: Adopt a Zero Trust approach, assuming no device or user can be implicitly trusted, even within the network perimeter.

By implementing these measures, security teams can significantly reduce the attack surface and bolster their defenses against sophisticated state-sponsored threats like APT28.