MikroTik and TP-Link routers are being hijacked by Russia's military intelligence agency, APT28, in a campaign affecting 120 countries and potentially compromising 18,000 to 40,000 devices. Researchers from Black Lotus Labs revealed the group exploits unpatched vulnerabilities in older models to take control, then uses them to redirect traffic to malicious servers harvesting credentials. This infrastructure supports APT28's long-running espionage against governments and organizations worldwide, including hijacking Microsoft 365 domains.

APT28, also known as Pawn Storm and Sofacy Group, blends cutting-edge tools like the LLM 'LAMEHUG' with proven techniques. Their operation involves changing DNS settings on compromised routers, which then propagate these malicious configurations to connected workstations. Devices visiting targeted sites like Microsoft 365 are proxied through servers controlled by the threat group, enabling credential theft and further espionage.

The ongoing campaign underscores the persistent threat posed by APT28, which consistently evolves tactics despite public exposure. While the exact number of affected routers remains uncertain, the scale highlights a significant vulnerability in widely used consumer and SOHO networking equipment, demanding urgent patching and vigilance from users and manufacturers alike.