The GRU's Router Hijacking Playbook: A Step-by-Step Guide to Understanding the Attack

Introduction

In a sweeping cyberespionage campaign, Russia's military intelligence agency (GRU) is once again exploiting consumer routers to spy on governments and organizations worldwide. This guide breaks down the attack chain used by the threat group APT28 (also known as Pawn Storm, Sofacy, and Forest Blizzard). Between 18,000 and 40,000 routers—primarily MikroTik and TP-Link—were compromised across 120 countries. The attackers transformed these devices into proxy nodes and changed DNS lookups to redirect unsuspecting users to credential-harvesting sites. Understanding this playbook helps you recognize vulnerabilities and protect your own network.

What You Need (From the Attacker’s Perspective)

• A list of vulnerable router models (e.g., MikroTik RouterOS versions with default credentials, TP-Link models with known flaws)
• Network scanning tools (e.g., Shodan, Zmap) to discover exposed routers
• Exploit scripts or password-cracking utilities for default/weak credentials
• DNS manipulation software (e.g., custom DNS resolver or DNSpooq techniques)
• Proxy relay infrastructure to hide the attacker's origin
• Target domains to hijack (e.g., Microsoft 365 login pages)

Step-by-Step Attack Breakdown

Step 1: Scan for Vulnerable Routers

The first move is to identify routers with open management interfaces (like SSH, Telnet, or web portals) exposed to the internet. Tools like Shodan allow attackers to filter by manufacturer (MikroTik, TP-Link) and port (e.g., port 8291 for MikroTik Winbox). A typical scan reveals thousands of devices that still use factory-default credentials or haven't been patched for known vulnerabilities.

Step 2: Gain Initial Access

Once a target is found, the attacker attempts to log in using default usernames and passwords (e.g., admin:admin for many TP-Link models, or blank passwords on MikroTik). If that fails, brute-force or dictionary attacks are launched against weak passwords. For MikroTik, older RouterOS versions are susceptible to unauthenticated remote command execution (CVE-2019-3978). Successful login gives the attacker full administrative control over the router.

Step 3: Install Proxy and DNS Hijacking Tools

With admin access, the attacker uploads a custom firmware or script that turns the router into a proxy and a DNS hijacker. The proxy routes traffic from the victim’s network through the compromised device to a command-and-control (C2) server. The DNS hijacking module intercepts DNS queries for specific domains (e.g., login.microsoftonline.com) and returns a rogue IP address—one that hosts a phishing page or a credential-stealing site.

Step 4: Redirect Traffic to Phishing Pages

The rogue DNS responses cause users within the hacked network to visit fake login pages that look identical to legitimate services. For instance, instead of reaching Microsoft 365's real authentication portal, the user lands on a clone hosted by the GRU. Any credentials or session tokens entered are forwarded to the attacker. This technique bypasses many security measures because the URL is altered only at the DNS level—no SSL warnings appear.

Step 5: Expand the Botnet via Proxy Chains

A small subset of compromised routers is designated as proxies to connect to higher-value targets: routers belonging to foreign ministries, law enforcement, or other government agencies. The attacker uses these proxy routers as stepping stones to breach more secure networks. By routing traffic through multiple infected home routers, they obfuscate the origin of the attack and evade network defenses.

Step 6: Harvest Credentials and Move Laterally

Once credentials or authentication tokens are captured from the phishing pages, the attacker uses them to log into legitimate cloud services (e.g., email, file sharing) of government employees. From there, they can access sensitive documents, maps, and communications. The stolen data is exfiltrated through encrypted channels that blend in with normal traffic, often using the same compromised routers as exit nodes.

Tips for Defenders: How to Protect Your Router

• Change default passwords immediately—use a unique, complex passphrase (12+ characters) for the admin account.
• Disable remote management unless absolutely necessary, and restrict it to specific IP addresses via firewall rules.
• Keep firmware updated—check your router manufacturer’s website for patches. MikroTik and TP-Link have released updates addressing many of the flaws exploited by APT28.
• Monitor DNS settings—regularly audit the DNS servers configured in your router. If they change without your knowledge, it’s a red flag.
• Use a VPN at the router level to encrypt all DNS queries, preventing hijacking. Many routers support OpenVPN or WireGuard.
• Enable logging and alerts—set your router to log access attempts and forward logs to a security information and event management (SIEM) system, if possible.

Remember: consumer routers are frequent targets because they are often neglected after initial setup. A few minutes of hardening can save you from becoming part of a state-sponsored botnet.