A new campaign by the Russia-linked cyber espionage group APT28 has surfaced, aimed at taking control of vulnerable MikroTik and TP-Link routers. Since at least May 2025, the group has been transforming these devices into components of a broader malicious infrastructure, according to recent threat intelligence reporting. The large-scale exploitation campaign has since been formally codenamed by researchers tracking the group’s activities, drawing renewed attention to the persistent threat posed by this well-resourced nation-state actor.
Routers Are Being Weaponized as Cyber Espionage Tools
APT28, also tracked under the name Forest Blizzard, has targeted insecure routers with significant consequences for organizations and individuals alike. These devices, frequently overlooked within broader cybersecurity strategies due to their perceived simplicity, play a far more critical role in network security than many defenders account for. By compromising these entry points, APT28 is able to establish persistent footholds that are difficult to detect and even harder to attribute.
- Vulnerable Models : APT28 has exploited insecure configurations in MikroTik and TP-Link routers, both of which are widely deployed across home and enterprise environments globally.
- Modification of Settings : Compromising these devices involves deliberately altering their configurations, effectively converting them into unwitting agents operating within a larger, coordinated cyber infrastructure.
- Scale of Campaign : This large-scale effort reinforces how devices considered routine or low-risk can be weaponized by sophisticated threat actors to support long-running espionage operations.
Implications for Network Security and Infrastructure
The ongoing exploitation underscores the shifting tactics of nation-state actors like APT28. The deliberate targeting of consumer and small-business routers reflects a calculated move toward less scrutinized attack surfaces within the broader Internet of Things (IoT) landscape, where security controls are often minimal or entirely absent.
- Evolving Strategies : APT28 continues to demonstrate a willingness to pursue unconventional targets. Routers, while frequently outside the scope of enterprise security monitoring, can provide deep network access and long-term operational control.
- Infrastructure Hijacking : Compromised routers are folded into broader malicious networks, making it considerably more difficult for cybersecurity professionals to trace attack origins and dismantle command-and-control infrastructure.
- Potential Target Expansion : Repurposing home and business routers as access points signals a possible widening of APT28’s operational focus to include the full range of connected devices present in both residential and commercial settings.
Recommendations for Organizations Responding to This Threat
Organizations must take deliberate steps to strengthen their router security practices to reduce exposure to campaigns like those carried out by APT28. Given the scale and sophistication of this activity, basic hygiene measures are no longer sufficient on their own.
- Regular Firmware Updates : Ensuring that routers are running the latest available firmware is one of the most direct ways to close known vulnerabilities before they can be exploited.
- Strong Password Policies : Replacing default credentials with strong, regularly rotated passwords adds a meaningful layer of defense against unauthorized access.
- Network Monitoring : Ongoing monitoring of network traffic patterns can help security teams detect unauthorized access attempts, unusual outbound connections, and unauthorized modifications to device configurations.
With the confirmed breadth of APT28’s campaign active since at least May 2025, treating router security as a core pillar of any organization’s cybersecurity posture is no longer optional. Defenders who continue to overlook edge devices risk inadvertently providing nation-state actors with the access they need to conduct sustained and damaging espionage operations.
