CONSENSUS WIRE
← Back to Tech & Science

Russian State-Linked Group APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign

Tech & ScienceAI-Generated & Algorithmically Scored·

AI-generated from multiple sources. Verify before acting on this reporting.

MOSCOW — A Russian state-linked cyber group known as APT28 has launched a global campaign exploiting vulnerabilities in small office and home office (SOHO) routers to hijack Domain Name System (DNS) traffic. The operation, detected on April 7, 2026, marks a significant escalation in the group's use of consumer networking hardware to redirect internet traffic on an international scale.

Security researchers identified the attack as a coordinated effort to compromise router firmware, allowing the group to intercept and alter DNS requests. By manipulating these requests, the attackers can redirect users to fraudulent websites or block access to legitimate services without the users' knowledge. The campaign targets a wide range of router models from various manufacturers, exploiting unpatched security flaws that have remained in consumer devices for years.

The attack vector relies on the widespread deployment of SOHO routers in homes and small businesses globally. Unlike enterprise-grade equipment, many consumer routers lack robust security updates, making them attractive targets for state-sponsored actors. APT28, also known as Fancy Bear, has a history of conducting cyber operations against government, military, and media targets. This latest campaign represents a shift toward infrastructure that affects a broader civilian population.

Network administrators and cybersecurity firms reported unusual DNS activity across multiple continents on April 7. The hijacking allowed the group to potentially monitor communications, steal credentials, or distribute malware. The scope of the campaign remains unclear, with experts noting that the full extent of compromised devices may take weeks to determine.

No specific motivation has been identified for the operation. While APT28 has previously targeted political entities and election infrastructure, this attack on consumer routers suggests a broader objective. Analysts speculate the campaign could be part of a larger intelligence-gathering effort or a preparatory step for future operations. However, without confirmed attribution or stated goals, the purpose remains uncertain.

Vendors of affected router models have begun issuing emergency firmware updates to patch the exploited vulnerabilities. Users are advised to update their devices immediately and change default administrative passwords. Internet service providers are working to identify and isolate compromised networks to prevent further spread.

The incident highlights the growing risk posed by insecure consumer technology in the context of state-sponsored cyber warfare. As more devices connect to the internet, the attack surface expands, providing opportunities for adversaries to infiltrate networks through seemingly harmless hardware.

Questions remain about the duration of the campaign and whether the group has maintained access to compromised routers. Researchers continue to monitor for new indicators of compromise and assess the potential for long-term surveillance. The international community is expected to respond with increased scrutiny of router security standards and potential sanctions against the actors involved.