A Russian espionage group has been covertly monitoring Internet traffic from various global targets for over a year, utilizing known vulnerabilities in neglected and Internet-exposed small office/home office (SOHO) routers. The victims include foreign affairs ministries and national law enforcement agencies in regions such as North Africa, Central America, and Southeast Asia, along with a national identity platform and several third-party service providers in Europe, as well as targets in 23 states across the United States.
One might assume that international cyber espionage demands extensive resources and advanced tools, such as sophisticated malware or zero-day exploits. However, APT28, also known as Fancy Bear or Forest Blizzard, along with its subgroup Storm-2754, has demonstrated that this is not necessarily true.
Since at least May 2025, if not earlier, this Russian Main Directorate of the General Staff of the Armed Forces (GRU)-affiliated group has been intercepting Internet traffic from valuable organizations worldwide by exploiting outdated vulnerabilities in edge devices; mainly MikroTik and TP-Link routers. They have reconfigured these devices to redirect traffic through malicious virtual private servers (VPS). Researchers from Lumen's Black Lotus Labs and Microsoft have noted that this low-effort initiative has enabled the threat actors to effectively monitor Web traffic and continuously gather credentials for email and Web services.
On April 7, the United States Department of Justice announced a significant disruption initiative named "Operation Masquerade," aimed at countering APT28's activities that have affected the US. The DOJ revealed that military, governmental, and critical infrastructure sectors had been targeted through compromised routers.
However, the campaign is not confined to the United States. At its peak in December 2025, Black Lotus Labs reported identifying 18,000 unique IP addresses from at least 120 countries that were in communication with the attackers' infrastructure. Microsoft documented over 200 affected organizations and more than 5,000 consumer devices.
Russian Cyber Espionage Via SOHO Routers
The primary focus of APT28 is email espionage. Following its initial high-profile cyberattacks around the 2016 election, the group has targeted email accounts belonging to organizations and individuals of interest to the Russian government. To achieve its objectives, the group continually explores new techniques.
In this recent operation, APT28 primarily utilized SOHO routers from MikroTik and TP-Link, and occasionally firewall products from Nethesis and Fortinet. The hackers exploited known vulnerabilities to gain access to router interfaces. For instance, one vulnerability they searched for was CVE-2023-50224, a medium-severity information disclosure issue affecting TP-Link that does not require authentication to exploit. This vulnerability, which is three years old, enabled the attackers to remotely manage routers and alter their Domain Name System (DNS) settings to reroute traffic through a VPS under their control. Consequently, whenever a user of the compromised router attempted to visit a website, that request would pass through APT28’s infrastructure. If the site was of interest to APT28; such as Microsoft Outlook on the Web; the group would proxy the request, capturing the victim's credentials while they accessed that online service.
"One of the things that piqued my interest: there is no malware," stated Danny Adamitis, principal information security engineer at Black Lotus Labs. "If you were to have your router compromised, even if you scanned it with an endpoint detection and response (EDR) tool or uploaded everything to VirusTotal, there is nothing there. The only action they are taking is modifying a single entry in your DNS settings to direct traffic to a server they control."
Researchers have differing opinions on when APT28 commenced these activities. Microsoft proposed that it began at least in August of last year, while Black Lotus Labs noted that it identified a compromised router linked to the Afghan government in May. The DOJ's Operation Masquerade press release indicated that the activities could date back to "at least 2024."
Regardless of the exact start date, it was timely. On August 6, 2025, the United Kingdom's National Cyber Security Centre (NCSC) released a report titled "Authentic Antics," which detailed an APT28 malware tool aimed at capturing Microsoft Office credentials and tokens. APT28 may have considered altering its strategies, but it quickly adapted, shifting focus to its new campaign targeting SOHO routers the very next day.
Is DNS a Cyber Risk Problem?
Ryan English, an information security engineer at Lumen Technologies, recommends that organizations transition away from SOHO routers while acknowledging their widespread use. He remarked, "It seems odd that some of these governments targeted by APT28 would utilize small office/home office routers," but he added that "it's a matter of economics, convenience, and access. Some governments may opt for these because they function adequately. However, many of these SOHO routers lack log inspection capabilities, and updating them manually for necessary patches can be challenging. This makes them vulnerable as part of their existence." Residential gateway vulnerabilities are a significant concern in this context.
For Adamitis, APT28's campaign highlights a more significant issue related to one of the Internet's core systems: DNS, which is often a target for APT28.
He illustrated this by comparing it to using Google Maps. When using Google Maps, "I trust that Google can provide the correct directions because that’s how the system is designed to function. You are not independently verifying the route," Adamitis explained.
Similarly, "users trust that DNS can accurately locate their server," he noted. "[However, APT28 is altering everything behind the scenes. That is why there is so much concern about this situation."
Adamitis suggested that addressing the router aspect of this campaign is manageable; with regular patching and basic cybersecurity practices, whether handled personally or by hiring experts, “there are methods to remain informed about that router ecosystem. However, there is no comparable solution for the DNS environment. DNS is inherently a decentralized system, lacking accountability. When issues arise, it often leads to a scenario where everyone shifts blame onto each other, resembling the Spider-Man meme where everyone points fingers and claims, 'No, it's their fault.'â€
"In my opinion, it truly is the Wild West," he concluded.
