Close Menu
    What's Hot

    Iran’s Former Leader Denies Times Report

    Millennials will pay taxes on the ‘Great Wealth Transfer’—and the cut is staggering. Here’s exactly how much they owe

    House Votes for Permanent Daylight Saving Time

    Facebook X (Twitter) Instagram
    Trending
    • Iran’s Former Leader Denies Times Report
    • Millennials will pay taxes on the ‘Great Wealth Transfer’—and the cut is staggering. Here’s exactly how much they owe
    • House Votes for Permanent Daylight Saving Time
    • Iran’s Cyberattackers Tracked Phones of U.S. Military Personnel in the Mideast, Data Suggests
    • At War With Iran Again, Trump Finds an Opponent He Cannot Easily Dominate
    • Former Child Care Worker in Sydney Facing Over 300 Abuse Charges Is Identified
    • Top Tax Official to Leave Trump Administration
    • OpenAI researcher Miles Wang in talks to launch AI drug discovery startup valued at $2B
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

    adminBy adminApril 7, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

    The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025.

    The large-scale exploitation campaign has been codenamed FrostArmada by Lumen’s Black Lotus Labs, with Microsoft describing it as an effort to exploit vulnerable home and small office (SOHO) internet devices to hijack DNS traffic and enable passive collection of network data.

    “Their technique modified DNS settings on compromised routers to hijack local network traffic to capture and exfiltrate authentication credentials,” Black Lotus Labs said in a report shared with The Hacker News.

    “When targeted domains were requested by a user, the actor redirected traffic to an attacker-in-the-middle (AitM) node, where those credentials were harvested and exfiltrated. This approach enabled a nearly invisible attack that required no interaction from the end user.”

    The infrastructure associated with the campaign has been disrupted and taken offline as part of a joint operation in collaboration with the U.S. Department of Justice, Federal Bureau of Investigation, and other international partners.

    Cybersecurity

    The activity is assessed to have commenced as far back as May 2025 in a limited capacity, followed by widespread router exploitation and DNS redirection commencing in early August. At its peak in December 2025, more than 18,000 unique IP addresses from no less than 120 countries were found communicating with APT28 infrastructure.

    These efforts primarily singled out government agencies, such as ministries of foreign affairs, law enforcement, and third-party email and cloud service providers across North African, Central American, Southeast Asian, and European countries.

    The Microsoft Threat Intelligence team, in its analysis of the campaign, attributed the activity to APT28 and its sub-group tracked as Storm-2754. The tech giant said it identified more than 200 organizations and 5,000 consumer devices impacted by the threat actor’s malicious DNS infrastructure.

    “For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale,” Redmond said. “By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments.”

    The DNS hijacking activity has also facilitated AitM attacks that made it possible to facilitate the theft of passwords, OAuth tokens, and other credentials for web and email-related services, putting organizations at risk of broader compromise.

    The development marks the first time the adversarial collective has been observed using DNS hijacking at scale to support AiTM of Transport Layer Security (TLS) connections after exploiting edge devices, Microsoft added. 

    At a high level, the attack chain involves APT28 gaining remote administrative access to SOHO devices and changing default network configurations to use DNS resolvers under its control. The malicious reconfiguration causes the devices to send their DNS requests to actor-controlled servers.

    This, in turn, causes DNS lookups for email applications or login pages to be resolved by the malicious DNS server. The threat actor then attempts to conduct AitM attacks against those connections to steal user account credentials by tricking the victims into connecting to malicious infrastructure.

    Some of these domains are associated with Microsoft Outlook on the web. Microsoft said it also identified AitM activity aimed at non-Microsoft hosted servers in at least three government organizations in Africa.

    Cybersecurity

    “It is believed that the DNS hijacking operations are opportunistic in nature, with the actor gaining visibility of a large pool of candidate target users then filtering down users at each stage in the exploitation chain to triage for victims of likely intelligence value,” the U.K. National Cyber Security Centre (NCSC) said.

    APT28 is said to have exploited TP-Link WR841N routers for its DNS poisoning operations by likely taking advantage of CVE-2023-50224 (CVSS score: 6.5), an authentication bypass vulnerability that could be used to extract stored credentials via specially crafted HTTP GET requests.

    A second cluster of servers has been found to receive DNS requests via compromised routers and subsequently forward them to remote actor-owned servers. This cluster is also assessed to have engaged in interactive operations targeting a small number of MikroTik routers located in Ukraine.

    “Forest Blizzard’s DNS hijacking and AitM activity allows the actor to conduct DNS collection on sensitive organizations worldwide and is consistent with the actor’s longstanding remit to collect espionage against priority intelligence targets,” Microsoft said.

    “Although we have only observed Forest Blizzard utilizing their DNS hijacking campaign for information collection, an attacker could use an AiTM position for additional outcomes, such as malware deployment or denial of service.”

    APT28 campaign DNS Exploits global hijacking routers Russian SOHO StateLinked
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleBadClaude: Serious ethics issues arise as users abuse Anthropic AI with slurs and a digital whip
    Next Article Firmus, the ‘Southgate’ AI datacenter builder backed by Nvidia, hits $5.5B valuation
    admin
    • Website

    Related Posts

    Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks

    July 15, 2026

    Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads

    July 14, 2026

    Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

    July 14, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Iran’s Former Leader Denies Times Report

    Millennials will pay taxes on the ‘Great Wealth Transfer’—and the cut is staggering. Here’s exactly how much they owe

    House Votes for Permanent Daylight Saving Time

    Iran’s Cyberattackers Tracked Phones of U.S. Military Personnel in the Mideast, Data Suggests

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by