Russian GRU hackers hijack routers belonging to small office and home office users worldwide, exploiting publicly known vulnerabilities to steal Microsoft 365 and Outlook credentials at scale. The campaign, attributed to APT28 (also known as Forest Blizzard, Fancy Bear, and Sofacy), represents a sophisticated espionage operation that transforms ordinary routers into credential-harvesting machines. The UK’s National Cyber Security Centre assessed that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165.
Key Takeaways
- APT28, a Russian military intelligence unit, compromises TP-Link and MikroTik routers to redirect network traffic through attacker-controlled servers.
- The attack exploits publicly known vulnerabilities, including CVE-2023-50224 on TP-Link WR841N routers, to gain unauthenticated access.
- Compromised routers have their DHCP and DNS settings modified to point to attacker IP addresses, affecting all downstream devices.
- The campaign targets government, military, and critical infrastructure sectors worldwide, with particular focus on Microsoft Outlook credentials.
- US law enforcement disrupted the US portion of the GRU’s DNS hijacking network in 2026, with reversible impacts on router functionality.
How the Russian GRU hackers hijack routers
The attack chain begins with exploitation of aging router firmware. APT28 leverages CVE-2023-50224, a vulnerability with a CVSS score of 6.5, to gain unauthenticated access to TP-Link WR841N routers through crafted HTTP GET requests. Once inside, attackers modify the router’s DHCP and DNS settings to include actor-controlled IP addresses. These poisoned settings cascade downstream to laptops, phones, and other devices connected to the compromised router, redirecting their traffic through attacker infrastructure. The NCSC investigators noted that these settings were subsequently inherited by downstream devices, turning a single router compromise into a network-wide threat.
The campaign operates in two distinct clusters. The first directly modifies TP-Link routers’ DHCP and DNS configurations for malicious resolution of targeted domains. The second receives and forwards DNS requests from both MikroTik and TP-Link routers, including interactive operations against Ukraine-based MikroTik installations. This two-pronged approach allows attackers to cast a wide net while maintaining flexibility for high-value targets. Once traffic flows through their servers, attackers conduct adversary-in-the-middle attacks on encrypted connections, harvesting unencrypted passwords, OAuth tokens, emails, and credentials for web services—particularly Microsoft 365 and Outlook Web Access.
Why TP-Link and MikroTik routers are targets
These routers dominate the small office and home office market globally, making them attractive targets for opportunistic campaigns. APT28 begins with indiscriminate compromise of vulnerable devices, then applies automated filtering to identify intelligence targets: military personnel, government officials, critical infrastructure operators. The attackers are not interested in every compromised router—they are hunting for specific organizational domains and user credentials that align with Russian intelligence priorities. TP-Link’s WR841N, a widely deployed budget-friendly model, became a particular focus due to its known vulnerability and widespread deployment in developing economies.
Older Fortinet models and Nethesis firewalls were also targeted alongside TP-Link and MikroTik devices, but the latter two routers formed the backbone of the operation. The Global South saw particular attention, with attackers harvesting government credentials at scale from compromised networks in that region. This geographic focus reflects both the prevalence of these cheap routers in developing nations and the intelligence value of government networks operating with minimal cybersecurity oversight.
The credential theft mechanism and impact
Once a router’s DNS is hijacked, every attempt by downstream devices to reach legitimate services like Outlook Web Access gets intercepted. Microsoft’s threat intelligence team assessed that Forest Blizzard’s DNS hijacking and man-in-the-middle activity allows the actor to conduct DNS collection on sensitive organizations worldwide and is consistent with the actor’s longstanding remit to collect espionage against priority intelligence targets. An attacker sitting between a user and an encrypted login page can harvest the unencrypted credentials sent before encryption is negotiated, or intercept session tokens that grant access to email and cloud services. For government and military personnel using these routers, the compromise exposes not just email but entire organizational networks to Russian intelligence.
The campaign is opportunistic in scale but surgical in targeting. Thousands of TP-Link routers worldwide have been compromised, generating high volumes of DNS requests through attacker infrastructure. Yet the attackers filter this noise to focus on organizations and individuals of intelligence value. A small business owner’s router might be compromised but ignored; a defense ministry official’s router becomes a priority target for credential harvesting.
Law enforcement disruption and remediation
In 2026, the US Department of Justice conducted a court-authorized disruption of the US portion of the GRU’s DNS hijacking network. Rather than seizing routers or destroying data, the operation was designed to be reversible—users could restore functionality via factory reset using the hardware button or by restoring default settings through the web management interface. This approach preserved normal router function and user data while disrupting the attacker’s infrastructure. International law enforcement and private companies also coordinated to disrupt FrostArmada, the APT28 campaign targeting MikroTik and TP-Link routers for Microsoft credentials.
For users concerned about compromise, remediation is straightforward but requires action. A factory reset via the hardware reset button or restoration of default settings through the web interface will purge the malicious DNS and DHCP configurations. However, users should assume any credentials entered while the router was compromised have been harvested. Changing passwords for email, cloud services, and critical applications is essential. Additionally, enabling two-factor authentication on Microsoft 365 and Outlook accounts adds a layer of protection even if credentials are stolen.
Is my router vulnerable to this attack?
If you own a TP-Link WR841N or similar budget SOHO router purchased before 2024, your device likely runs vulnerable firmware. MikroTik routers are also targeted, particularly older models. Check your router’s firmware version through the web management interface (typically accessed at 192.168.1.1 or 192.168.0.1) and compare it against the manufacturer’s latest release. TP-Link and MikroTik have released patches, though adoption rates remain low among home users who rarely update router firmware.
What should I do if I suspect my router is compromised?
First, perform a factory reset using the hardware reset button (usually recessed and requiring a pin to press) held for 10-15 seconds. This clears all settings, including any malicious DNS configurations. Reconfigure your router with a strong password and enable automatic firmware updates if available. Second, change passwords for all email, cloud services, and critical accounts, particularly Microsoft 365 and Outlook. Assume any credentials entered while the router was compromised have been captured by attackers.
How does this attack compare to other router compromises?
Most router attacks target home users for botnet recruitment or cryptocurrency mining. This campaign is fundamentally different—it is a state-sponsored espionage operation designed to harvest credentials from high-value targets. Rather than turning routers into zombie machines, APT28 uses them as invisible eavesdropping posts, positioning attackers between users and legitimate services. The scale is massive (thousands of compromised routers), but the intent is surgical (filtering for intelligence targets). This hybrid approach—opportunistic initial compromise, targeted secondary filtering—is a hallmark of Russian military intelligence operations.
The credential theft mechanism also differs from typical router malware. Rather than stealing stored passwords from the router itself, attackers intercept credentials in transit by hijacking DNS and conducting man-in-the-middle attacks. This requires the attacker to remain in the network path, which a compromised router enables perfectly. A user connecting to Outlook through a hijacked router has no way to detect the interception—the connection appears normal, the certificate validates, but the attacker sees everything.
Russian GRU hackers hijack routers because the attack is cheap, scalable, and devastatingly effective against organizations with poor network hygiene. Firmware updates remain rare among small office and home office users, making these devices ideal persistent access points for espionage. The campaign demonstrates that even mundane hardware—a $30 router—becomes a national security threat when exploited by a state actor with the resources to operate global infrastructure. Defending against this attack requires both individual action (firmware updates, password changes, two-factor authentication) and systemic change (manufacturers shipping secure defaults, users treating routers as critical infrastructure rather than set-and-forget devices).
Edited by the All Things Geek team.
Source: Tom's Hardware
