The threat of cyber warfare continues to escalate, with recent research revealing that the Russian military is again targeting home and small office routers. This widespread hacking operation, which primarily affects devices made by MikroTik and TP-Link, compromises the security of unwitting users by redirecting them to sites designed to harvest passwords and credentials for espionage activities.
Researchers from Lumen Technologies’ Black Lotus Labs estimate that between 18,000 and 40,000 consumer routers in approximately 120 countries have been commandeered as part of these operations. The perpetrating group, known as APT28, has been active for at least two decades, carrying out high-profile attacks on governments globally. Also referred to as Pawn Storm, Sofacy Group, Sednit, and several other aliases, APT28 operates under the auspices of Russia’s military intelligence agency, the GRU.
Technical Sophistication and Historical Context
A hallmark of APT28’s tactics is their technical sophistication combined with tried-and-true methods. During this latest campaign, a limited number of compromised routers were used as proxies, enabling access to a much larger network of routers, including those belonging to foreign ministries and governmental agencies. By controlling these routers, the attackers manipulated DNS settings for specific websites, redirecting users to malicious servers. Microsoft confirmed that this strategy included altering access to domains linked to its Microsoft 365 service.
Innovative Tools and Age-Old Techniques
The Black Lotus researchers noted, “Known for blending cutting-edge tools such as the large language model (LLM) ‘LAMEHUG’ with proven, longstanding techniques, Forest Blizzard consistently evolves its tactics to stay ahead of defenders.” This adaptability highlights the persistent threat posed by APT28. Through a combination of advanced tools and classic attack methodologies, they continue to challenge organizations around the world.
The group exploits vulnerabilities found in older router models that have not been patched against known security issues. Once compromised, these devices have their DNS settings altered, propagating malicious configurations through the Dynamic Host Configuration Protocol (DHCP) to connected workstations. Consequently, when users access manipulated domains through their devices, their connections are rerouted through nefarious servers before ultimately reaching the legitimate websites.
This ongoing situation serves as a stark reminder of the importance of cybersecurity awareness. Users must remain vigilant, regularly updating their devices and employing robust security practices to protect against such sophisticated and evolving threats.
For more detailed insights, you can read the original article here.
Image Credit: arstechnica.com
