#Thousands of consumer routers hacked by Russia’s military

##End-of-life routers in homes and small offices hacked in 120 countries.

The Russian military is once again hacking home and small office routers in widespread operations that send unwitting users to sites that harvest passwords and credential tokens for use in espionage campaigns, researchers said Tuesday.

An estimated 18,000 to 40,000 consumer routers, mostly those made by MikroTik and TP-Link, located in 120 countries, were wrangled into infrastructure belonging to APT28, an advanced threat group that’s part of Russia’s military intelligence agency known as the GRU, researchers from Lumen Technologies’ Black Lotus Labs said. The threat group has operated for at least two decades and is behind dozens of high-profile hacks targeting governments worldwide. APT28 is also tracked under names including Pawn Storm, Sofacy Group, Sednit, Tsar Team, Forest Blizzard, and STRONTIUM.

###Technical sophistication, tried-and-true techniques

A small number of routers were used as proxies to connect to a much larger number of other routers belonging to foreign ministries, law enforcement, and government agencies that APT28 wanted to spy on. The group then used its control of routers to change DNS lookups for select websites, including, Microsoft said, domains for the company’s 365 service.

“Known for blending cutting-edge tools such as the large language model (LLM) ‘LAMEHUG’ with proven, longstanding techniques, Forest Blizzard consistently evolves its tactics to stay ahead of defenders,” Black Lotus researchers wrote. “Their previous and current campaigns highlight both their technological sophistication and their willingness to revisit classic attack methods even after public exposure, underscoring the ongoing risk posed by this actor to organizations worldwide.”

To hijack the routers, the attackers exploited older models that hadn’t been patched against known security vulnerabilities. They then changed DNS settings for select domains and used the Dynamic Host Configuration Protocol to propagate them to router-connected workstations. When connected devices visited the selected domains, their connections were proxied through malicious servers before reaching their intended destination.

These adversary-in-the-middle servers used self-signed certificates. When the end user clicked through browser warnings, the servers captured all traffic passing through them. Among other things, they collected OAuth tokens and other credentials set after users, unaware their connections were being tapped, completed multifactor authentication.

The operation began in May 2025 on a limited number of devices. Then, in August, Britain’s National Cyber Security Center released an alert that documented a malware campaign a threat group was using to “intercept and exfiltrate Microsoft Office account credentials and tokens.” The following day, the threat group rapidly stepped up the router hijacking, an activity it continued to ramp up in the coming months.

Over a four-week period starting on December 12, Black Lotus observed more than 290,000 distinct IP addresses sending at least one DNS request to the malicious APT28 DNS resolver. “This suggested that as one capability was disclosed, the actor immediately shifted to another to continue acquiring authentication material,” company researchers wrote.

Black Lotus described the methodology this way:

1. DNS changes were then propagated to the workstations on the adjacent LAN via Dynamic Host Configuration Protocol (DHCP).
2. The actor operated a DNS server to behave like a typical recursive resolver, but when a targeted Fully Qualified Domain Name (FQDN) was queried, it was configured to provide a record back containing its own IP address instead of the correct address. The only interventions were triggered by domains associated with authentication-related services. If any other domain was requested, traffic passed directly through.
3. The actor ran a proxy service as the AitM that the end user was directed to via DNS. The only sign of this attack would be a pop-up warning about connecting to an untrusted source because of the “break and inspect.”
4. If warnings were present and ignored or clicked through, the actor proxied requests to the legitimate services, collecting the data at the midpoint and collecting data associated with the targeted account by passing the valid OAuth token. This allowed the actor to break and inspect traffic and access authentication material such as Oauth tokens after completing the multifactor challenge.

APT28 has a history of hacking routers. In 2018, researchers discovered 500,000 of the devices, mostly located in the US, were infected with malware tracked as VPNFilter. In 2024, the US Justice Department caught the group doing it again.

The easiest way for people to know if their router has been compromised in the operation is to review the current DNS settings to see if they list unrecognized servers. Users should also check event logs for any unrecognized changes to DNS server settings. People should also strongly consider replacing end-of-life routers with ones that receive regular security updates. People should never click through browser alerts warning of untrusted TLS certificates.

– Dan Goodin Senior Security Editor

##Ukraine is telling its citizens not to register Starlink terminals for Russian forces.

##The country struck a deal with SpaceX last week that effectively blocks Russian access to Starlink.

##Officials say Russians are threatening or offering money to Ukrainians to register terminals for them.

Kyiv officials warned that Ukrainians might be coerced into registering Starlink terminals for the Kremlin's forces after a recent block on Russia's access to the service.

Ukraine's auxiliary body for handling prisoners of war posted a notice on Tuesday saying that it had learned of multiple instances where families of Ukrainian prisoners were threatened and told to enroll such terminals.

The warning comes after Ukraine's defense ministry reached a deal with SpaceX earlier this month to cut off Russia's access to Starlink by blocking general connectivity across Ukrainian territory.

"Looking for a way out of the difficult situation in which they found themselves, the occupiers turned their attention to the families of the prisoners," the Coordination Headquarters for the Treatment of Prisoners of War wrote in a statement.

"Cases of threats and demands to officially register Starlink terminals have been recorded," it added.

To maintain Starlink access, Ukrainian troops, civilians, and businesses must register individual terminals to a "whitelist," either online or at municipal centers.

The sweeping move aimed to curb a black-market loophole that Russian forces were exploiting. In compliance with US sanctions, SpaceX doesn't do business with Russia, but Ukraine has repeatedly said that Russian troops were obtaining terminals and using them to guide attack and reconnaissance drones.

In its latest statement, the Coordination Headquarters for the Treatment of Prisoners of War said that officials could trace the registration of terminals that were later used by Russian forces because enrollment requires an ID.

"If the terminal is used to control drones that destroy infrastructure and take lives, the fact of registering the terminal by a citizen of Ukraine is grounds for criminal prosecution," the agency added.

Russia is not known to have a satellite internet service that compares to Starlink's in terms of speed, availability, and stability.

"For the enemy, Starlink is so important that they have deployed a whole network to search for traitors who are ready to register Starlink for themselves in the Central Administrative Service," wrote Serhii "Flash" Beskrestnov, a drone analyst and an advisor to Ukraine's defense ministry, in a Telegram statement on Sunday.

In some cases, Russian troops were offering up to $230 to register a single terminal, Beskrestnov added. That's roughly a third of the median monthly salary in Ukraine.

For the Kremlin's forces, the service disruption has been significant enough that pro-Russian military bloggers have reported that most Russian units now lack internet access. Some have blamed Moscow for what they called a reliance on Western technology, even as the US and Europe explicitly back Ukraine.

"It's about to suddenly become clear that units cannot operate effectively without communications. That'll be news to some in high places," one blogger, under the handle Belarusian Silovik, wrote.

Denying Russian access to Starlink had long been a priority for Ukraine's new defense minister, Mykhailo Fedorov, who had previously advocated such measures while serving as minister for digital transformation.

The agency said the source of the interference had been traced to Russian territory, and also affected shipping. Other European nations have accused Russia of being behind the jamming, which Moscow denies.

North Karelia force says fence dividing Finland and Russia is no Berlin Wall – but it is now a key geopolitical faultline

... In an attempt to strike a note of optimism, he added: “We found a solution in 1944 and I’m sure that we will be able to find a solution in 2025.”

Matti Pitkäniitty, the commander of the North Karelia border guard district, believes illegal border crossings involving Russian defectors are likely to become a growing problem. Pointing to a gap in the vegetation where an old Finnish country lane passed through before the border was redrawn in 1940 after the Russo-Finnish war, resulting in Helsinki ceding part of Karelia, Pitkäniitty said most civilians trying to cross illegally preferred to stick to roads, limiting the number of potential routes.

“People are afraid of those thick forests here,” he said. But this would not be an issue for a Russian military professional trying to flee the war in Ukraine. “Now, one of the risks we are facing are the military-trained personnel fleeing the war. They of course know how to navigate through the woods and how to survive there if they need to stay out of sight for a couple of days.”

Calling out davriellelouna@lemmy.world obvious spam makes them delete my comment and ban me as a spammer.

A SINGLE COMMENT on their community is spam, but someone posting 10-minute reads every 5-minutes 247/365 isn't spam?

Honestly whoever mod this was, however fking stupid are you to let your emotions take over and admit I'm right by banning me for one comment calling out literal spam?

Ah, Lemmy is occasionally really entertaining (because unlike them, my life isn't on the line so I don't get upset like they seem to :D)

They're so insecure that they don't understand that banning me for calling out davriellelouna@lemmy.world as davel@lemmy.ml proxy spam account is "bad faith".

How is it in bad faith? These people don't even understand the words of the rules they're using, lol.

Literally every accusation from them is an admission, and because I called out bad-faith users spamming links, I got banned supposedly for arguing in bad faith.

Feels like lemmy is mostly just russians, honestly, which is understandable as the pathetic fuckers can't engage anyone on any properly moderated forums

I've nothing to add.

Shran uses a set from a Finnish designer, called "Ultima Thule". It's also featured as a world on the show, iirc. (I'm midway through rewatch, but Ultima Thule is definitely a world in the ST universe.)

The name come from ancient times, meaning roughly "Ultimate North", and referring to various places that no-one can really agree on.

Anyways, the other glass is also Finnish, and also used in ST: Enterprise. Whenever Archer has dinner in his quarters or they're having cake at Malcolm's bday, therr these glasses are: https://star-trek.design/glassware/tapio-goblets-by-tapio-wirkkala-for-iittala

(I wonder if this is related to my alcoholism flaring up anytime the episodes with the glasses come up.)

I had more screen space for reading with my Nokia 3310.

Just something MAGA-people seem to have a hard time with sometimes. Probably not as much when Americans are speaking to themselves, but as a non-American, sometimes it's challenging to get "those people" to admit that there is indeed anything wrong with the US. As in they won't accept a single criticism, and will loudly proclaim "America is the greatest country in the world", while wearing a "Make America Great Again" hat, which for me pretty explicitly means America isn't great, if it has to be made to be such again.