Thousands of routers across 23 U.S. states were compromised by a Russian military intelligence group, known as APT28, which exploited vulnerabilities to redirect internet traffic. This operation involved the hijacking of small-office/home-office (SOHO) routers, affecting both enterprise and consumer devices. The National Security Agency has confirmed that the attack targeted military, government, and critical infrastructure entities.
In April, federal agents intervened under a court order to disrupt the espionage efforts. However, vulnerabilities in the affected devices remain, necessitating user action to secure their routers. Experts from the cybersecurity firm Forescout emphasize the importance of updating firmware and altering default passwords to mitigate risks. The UK's National Cyber Security Centre has pointed out specific models, including several TP-Link routers, that were particularly vulnerable.
Ongoing since at least 2024, this campaign highlights a growing trend of DNS hijacking by state-sponsored actors, aiming for extensive surveillance capabilities. Organizations are urged to take immediate action to protect their devices from further exploitation.