No Malware Required: Russia Hijacked 5,000 Routers to Steal Passwords

200 organizations. 5,000 consumer routers. 18,000 networks ensnared at peak. Zero malware deployed.

Russia’s military intelligence service has spent two years quietly repurposing ordinary home and office routers into surveillance infrastructure, using nothing more exotic than altered DNS settings. On April 7, an international coalition of cybersecurity agencies and private firms moved to shut the operation down.

The UK’s National Cyber Security Centre (NCSC) attributed the campaign to APT28 — also known as Fancy Bear, Forest Blizzard, or Strontium — a hacking group assessed with high confidence to be Unit 26165 of Russia’s GRU military intelligence directorate. The same unit previously compromised the Hillary Clinton campaign and the Democratic National Committee in 2016 and attempted to breach the Organisation for the Prohibition of Chemical Weapons in 2018. Microsoft identified more than 200 organizations and 5,000 consumer devices caught in the current dragnet. Lumen’s Black Lotus Labs, which contributed to the investigation, put the peak scope far higher: roughly 18,000 routers across 120 countries in December 2025.

How It Worked

The attack was technically simple. APT28 exploited known vulnerabilities in older, often unsupported routers — primarily the TP-Link WR841N and MikroTik SOHO models — to rewrite their DNS settings. DNS is the internet’s address book, translating human-readable names like “outlook.com” into the numerical IP addresses computers actually use. By substituting legitimate DNS servers with their own, the hackers could silently redirect users to counterfeit versions of familiar websites.

Those modified DNS settings propagated automatically to every device on the local network — laptops, phones, tablets — via DHCP, the protocol that handles network configuration. A user typing their Outlook credentials into what looked like the real login page was actually handing them to GRU operatives.

No malware required. “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done,” Black Lotus Security Engineer Ryan English told Krebs on Security. According to the NCSC advisory, APT28 exploited CVE-2023-50224, a known TP-Link vulnerability that allows unauthenticated attackers to extract router credentials via crafted HTTP requests.

The only visible clue: a browser warning about an invalid TLS certificate — the kind of pop-up most people click past without reading.

The Harvest

Microsoft said the campaign primarily intercepted OAuth tokens for Outlook on the web — the session credentials issued after a user completes multi-factor authentication. By capturing tokens rather than passwords, the attackers bypassed MFA entirely, gaining direct access to cloud-hosted email and documents without needing to phish one-time codes.

Government agencies, law enforcement, IT providers, telecom companies, and energy firms were among the targeted sectors. Microsoft also observed adversary-in-the-middle attacks against government servers belonging to at least three government organizations in Africa, and Black Lotus Labs noted connections to a national identity platform in one European country. A cluster of compromised MikroTik routers, many located in Ukraine, was likely targeted for direct military intelligence value.

The NCSC assesses the operation as broadly opportunistic. Rather than singling out specific high-value individuals, APT28 compromised a vast pool of devices and filtered down to users of potential intelligence value at each stage of the chain.

Disruption — and Adaptation

Microsoft worked with Black Lotus Labs, the FBI, the US Department of Justice, and the Polish government to take the offending infrastructure offline.

But APT28 adapts fast. When the NCSC published a similar advisory in August 2025, the group responded within a day — abandoning its previous malware-based approach and switching to mass DNS hijacking on a far larger scale. “Before the last NCSC report came out they used this capability in very limited instances,” Black Lotus Labs engineer Danny Adamitis told Krebs on Security. “After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable.”

What to Actually Do

The remedies are straightforward if unglamorous. Update router firmware — many of the compromised devices were running outdated software with patches already available. Replace end-of-life routers that no longer receive security updates. Pay attention to TLS certificate warnings in browsers, which are the primary visible indicator of this attack. And consider manually configuring DNS settings rather than accepting the router’s DHCP defaults.

Paul Chichester, the NCSC’s director of operations, urged organizations to “familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.”

The scale was real and the targeting was broad. But this campaign exploited neglect, not sophistication — unpatched hardware, dismissed warnings, and the assumption that a cheap home router is too boring for a state intelligence service to bother with. That assumption, it turns out, is precisely what makes these devices worth attacking.

Sources

Russia’s Fancy Bear still attacking routers to boost fake sites, NCSC warns — The Register
APT28 exploit routers to enable DNS hijacking operations — UK National Cyber Security Centre
SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks — Microsoft Security Blog
Russia Hacked Routers to Steal Microsoft Office Tokens — Krebs on Security
Authorities disrupt DNS hijacks used to steal Microsoft 365 logins — BleepingComputer

Discussion (9)

Tina_B

So Russia is literally stealing passwords from American homes and we're just letting them?? This is an act of war. Where's the response from the White House?

5 ↑

bluecoat99

Waited for the "what to do" section because I'm not reading all that DNS jargon. Update firmware. Replace old routers. Don't ignore certificate pop-ups. Done. Could've been two paragraphs.

8 ↑

Marcus J

Wait I literally have a TP-Link WR841N. How do I check if my DNS was changed? Should I just throw it out? This is actually scary.

3 ↑

SarahK

Marcus — type 192.168.0.1 or 192.168.1.1 into your browser, log into the router admin panel, and look for the WAN/DNS settings. If the DNS servers listed aren't yours or your ISP's, that's bad. Either way, that router model is end-of-life. Just replace it. You can get something decent for $40-60.

7 ↑

vkrishnan

The OAuth token interception is the detail worth paying attention to here, not the password angle the headline emphasizes. By capturing session tokens minted post-MFA, APT28 rendered multi-factor authentication irrelevant — the token already carries authenticated status. This mirrors techniques documented in academic literature on adversary-in-the-middle phishing (see Oest et al., USENIX Security 2020), but applied at infrastructure scale rather than per-target. The DHCP propagation is also noteworthy: a single compromised router exposed every device on the LAN without any user interaction. That's a very high return on a very low-effort exploitation of neglected hardware.

16 ↑

patriot_pete

THE GOVERNMENT wants you scared of Russia so you'll accept more surveillance. The NSA has been doing EXACTLY this for decades. Your ISP already sells your DNS data to advertisers. But sure let's all panic because Russia. Wake UP people this article is propaganda.

11 ↑

Linda M. Rojas

A few commenters seem to be focusing on the password theft angle, but the article actually clarifies that the primary goal was intercepting OAuth tokens. These are session credentials issued after authentication, including after multi-factor authentication. This is a meaningful distinction — even users with strong, unique passwords and MFA enabled would have been affected. It is a good reminder that MFA is necessary but not sufficient, and that the security of the network infrastructure itself matters a great deal.

13 ↑

BigDaddyCool404

Why would Russian intelligence care about regular peoples routers lol. 18,000 is nothing there are billions of devices. This is fear mongering plain and simple. My router works fine and I've never updated it once.

2 ↑

definitely_not_a_bot

Lmao has anyone else noticed every article on this site reads like ChatGPT? "The scale was real and the targeting was broad." Who writes like that. Jonny V. Nuovo is 100% a fake name lol

4 ↑