Russian APT28 Hijacks Home and Small Office Routers for Global Espionage Campaign
What Happened — A Russian state‑sponsored group (APT28/Fancy Bear) compromised thousands of SOHO routers, notably TP‑Link models, by exploiting an unauthenticated firmware flaw. The attackers rewrote DNS settings, routing traffic through servers they control to harvest credentials, intercept Microsoft 365 traffic, and collect browsing data. Microsoft reports over 200 organizations and 5,000 consumer devices are already affected.
Why It Matters for TPRM —
- Router compromise creates a persistent, network‑level foothold that bypasses traditional endpoint security.
- Credential theft and traffic interception can expose sensitive data of your partners, customers, and supply‑chain contacts.
- The attack vector exploits weak default configurations, highlighting the need for rigorous hardware‑security vetting.
Who Is Affected — Government agencies, critical‑infrastructure operators, small‑business vendors, and individual consumers using vulnerable SOHO routers.
Recommended Actions —
- Inventory all third‑party networking equipment and verify firmware versions.
- Enforce strong, unique router admin passwords and disable remote management.
- Apply vendor patches immediately; replace unsupported models.
- Monitor DNS traffic for anomalous redirection and implement DNS‑SEC where possible.
Technical Notes — The campaign leverages a CVE‑like vulnerability in TP‑Link WR841N (and related models) that allows unauthenticated HTTP GET requests to retrieve admin credentials and alter DNS settings. Attackers then use the hijacked DNS to conduct credential harvesting and man‑in‑the‑middle (MITM) interception of TLS‑protected traffic. Source: Malwarebytes Labs