Massive Router Hijack Campaign Linked to Russian GRU Threatens Global Cybersecurity

Up to 40,000 routers compromised in coordinated espionage operation

Hackers linked to Russia's military intelligence agency have compromised between 18,000 and 40,000 consumer routers across 120 countries, researchers revealed Tuesday. The devices, mostly MikroTik and TP-Link models, are being used as proxies to steal passwords and authentication tokens from government and corporate targets.

The operation is attributed to APT28, an advanced persistent threat group that operates under the GRU. The group has redirected unsuspecting users to malicious sites that harvest login credentials for Microsoft 365 and other services.

Quote from lead researcher

"This is not a low-level nuisance attack. It's a highly organized, state-sponsored campaign targeting foreign ministries, law enforcement, and defense agencies worldwide," said Mike Smith, lead analyst at Lumen Technologies' Black Lotus Labs. "The scale is alarming—thousands of routers turned into silent spies."

Background

APT28, also known as Pawn Storm, Sofacy, or Sednit, has been active for over two decades. The group is infamous for high-profile breaches against governments, election systems, and critical infrastructure. This latest campaign exploits weak router security—default passwords and outdated firmware—to gain control.

Once compromised, a small number of routers act as proxies to connect to a larger network of government and law enforcement routers. The attackers then alter DNS settings for select websites, redirecting traffic to credential‑harvesting servers. Microsoft confirmed domains for its 365 service were among the targets.

What This Means

For individual users, this hijack poses immediate risks of identity theft and account compromise. Any login performed through an infected router—even on legitimate sites—could be intercepted. Enterprises face data breaches and espionage losses.

Authorities urge immediate action: reset router passwords, update firmware, and disable remote administration. The attack demonstrates that consumer devices remain a weak link in national security. Global cybersecurity agencies are likely to issue advisories in the coming days.

As the investigation unfolds, experts expect more details on the full scope of the operation. Meanwhile, users should treat any suspicious router behavior—slow speeds, unknown devices on the network—as a possible sign of compromise.