APT28 compromised up to 40,000 end-of-life MikroTik and TP-Link routers across 120 countries to harvest credentials and spy on government agencies.
Black Lotus Labs (Lumen Technologies) revealed that APT28, Russia's GRU-linked threat group, hijacked between 18,000–40,000 consumer routers across 120 countries. The operation used compromised routers as proxy infrastructure to target foreign ministries, law enforcement, and government agencies. APT28 manipulated DNS lookups on infected routers — including for Microsoft 365 domains — to redirect users to credential-harvesting sites. Notably, the group is now deploying an LLM tool called 'LAMEHUG' alongside traditional attack techniques, signaling AI-augmented offensive capabilities.
APT28 is manipulating DNS at the router level to silently redirect traffic — including Microsoft 365 auth flows — to credential-harvesting infrastructure. If your app or service relies on OAuth or token-based auth without enforcing certificate pinning or DNSSEC validation, this attack vector bypasses your app-layer security entirely. The introduction of an LLM (LAMEHUG) into the offensive toolkit means attack personalization and evasion are scaling.
Audit your app's DNS resolution chain this week: verify that your auth endpoints enforce HSTS and check whether your DNS provider supports DNSSEC — if not, switching to Cloudflare's 1.1.1.1 with DNSSEC validation takes under an hour.
Open your terminal and run: curl -s https://cloudflare-dns.com/dns-query?name=login.microsoftonline.com&type=A -H 'accept: application/dns-json' | python3 -m json.tool
Tags
Also today
Signals by role
Also today
Tools mentioned