How does APT28 exploit SOHO routers for DNS hijacking attacks?

APT28, a Russian state-linked threat actor also known as Forest Blizzard, exploits SOHO routers like MikroTik and TP-Link by targeting their security vulnerabilities, often due to default or weak credentials, unpatched firmware, or misconfigurations. Once compromised, the attackers modify the router's DNS settings to redirect traffic through malicious servers under their control. This DNS hijacking allows them to intercept, monitor, or manipulate internet traffic, enabling cyber espionage activities such as stealing sensitive data, conducting man-in-the-middle attacks, or redirecting users to phishing sites. The campaign, active since at least May 2025, leverages these compromised routers as part of a global infrastructure to obscure their origins and evade detection. To protect against such exploits, users should change default passwords, regularly update firmware, disable remote management, and monitor DNS settings for unauthorized changes.

📖 Read the full article: Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign