APT28 Router Hijacking Campaign Targets Consumer Infrastructure
The Russia-linked advanced persistent threat group APT28, also tracked as Forest Blizzard by Microsoft, launched a sophisticated campaign in May 2025 that systematically compromised insecure MikroTik and TP-Link routers across multiple regions. Security researchers discovered the group modified router configurations to establish persistent backdoors, effectively transforming legitimate consumer networking equipment into command-and-control infrastructure for espionage operations.
The campaign represents a significant shift in APT28's tactics, moving beyond traditional endpoint compromise to target edge networking devices that often lack robust security monitoring. The group exploited default credentials, unpatched firmware vulnerabilities, and weak administrative interfaces to gain initial access to the routers. Once inside, they installed custom firmware modifications that survived device reboots and factory resets, ensuring persistent access to the compromised infrastructure.
APT28 operators demonstrated sophisticated understanding of router architectures, implementing steganographic techniques to hide malicious traffic within legitimate network communications. The compromised devices served multiple functions including traffic redirection, credential harvesting from intercepted communications, and acting as pivot points for lateral movement into connected corporate networks. Intelligence agencies have linked this campaign to broader Russian state-sponsored espionage objectives targeting Western government agencies, defense contractors, and critical infrastructure operators.
The scale of the operation became apparent when cybersecurity firms identified coordinated attacks across North America, Europe, and Asia-Pacific regions. The CISA Known Exploited Vulnerabilities catalog has been updated to reflect several router vulnerabilities actively exploited in this campaign, emphasizing the urgent need for organizations to audit their network perimeter devices.
Vulnerable Router Models and Affected Organizations
The campaign primarily targeted MikroTik RouterOS devices running firmware versions prior to 7.14.2 and TP-Link Archer series routers with firmware older than March 2025 releases. Specific models identified include MikroTik hAP ac2, hAP ac3, and Cloud Core Router series, along with TP-Link Archer AX6000, AX3000, and AC1750 variants. Organizations using these devices with default administrative credentials or weak password policies faced the highest risk of compromise.
Small to medium-sized businesses proved particularly vulnerable due to limited IT security resources and infrequent firmware update practices. However, the campaign also affected larger enterprises that deployed consumer-grade routers in branch offices or remote work environments without proper security hardening. Government agencies in Eastern European countries reported suspicious network activity traced back to compromised router infrastructure, while several defense contractors discovered unauthorized data exfiltration through hijacked edge devices.
The geographic distribution of compromised devices suggests APT28 prioritized targets in NATO member countries, with concentrated activity in Poland, Estonia, and Lithuania. Remote workers using personal routers for corporate VPN connections inadvertently provided attack vectors into enterprise networks, highlighting the security risks of hybrid work arrangements. Telecommunications providers also reported customer premise equipment compromises that enabled traffic interception and man-in-the-middle attacks against high-value targets.
Mitigation Steps and Router Security Hardening
Organizations must immediately audit all MikroTik and TP-Link devices in their network infrastructure and implement comprehensive security measures. For MikroTik devices, administrators should upgrade to RouterOS version 7.14.2 or later, which addresses multiple vulnerabilities exploited by APT28. TP-Link users must install firmware updates released after March 2025 and verify the integrity of existing configurations through factory reset procedures followed by secure reconfiguration.
Critical hardening steps include changing default administrative credentials to complex passwords exceeding 16 characters, disabling unnecessary services like SSH and Telnet on WAN interfaces, and implementing network segmentation to isolate router management traffic. Organizations should enable logging on all router devices and configure centralized log collection to detect suspicious administrative activities. The Microsoft Security Response Center recommends implementing network access control policies that restrict router administration to specific IP ranges and require multi-factor authentication for administrative access.
Detection strategies involve monitoring for unexpected configuration changes, unusual outbound network connections from router devices, and DNS queries to suspicious domains. Security teams should establish baseline network behavior patterns and implement automated alerting for deviations that could indicate compromise. For organizations that cannot immediately replace vulnerable devices, implementing additional network monitoring and restricting router internet access through upstream firewalls provides temporary risk reduction until proper remediation can occur.
