UK warns Russia-linked APT28 is hijacking MikroTik, TP‑Link and other consumer routers

What the government says

The UK government has issued an alert saying a Russia-linked hacking group known as APT28 is targeting popular home and small‑office routers from vendors including MikroTik and TP‑Link. It has been reported that the intruders are quietly taking control of devices, stealing login credentials and redirecting users’ web traffic to malicious servers. The advisory names the usual suspects — remote management flaws, weak or default passwords — as the likely entry points.

How the attacks allegedly work

According to the warning, compromised routers are being reconfigured so that victims’ traffic flows through attacker-controlled proxies, enabling credential theft and broader surveillance. The claim that APT28 is behind the campaign is described by officials as part of a longer pattern of targeting by the group, although attribution in cyber incidents is always tricky and thus described as “Russia-linked” or “allegedly” in public notices. Quiet, low-profile intrusions into everyday gear — not blockbuster breaches — are often the most effective.

What users should do

The UK urged users and small businesses to update router firmware, change default and weak passwords, disable remote management where not needed, and factory‑reset any device behaving oddly. Sound advice. After two years of remote work, how many of us have actually checked the back of the router lately? That moment of vulnerability — the household object you never think about becoming a spy — is the emotional sting here.

Why this matters

This is part of a broader trend: nation‑state groups moving beyond servers and enterprise networks to exploit the thin edge of the internet — consumer routers, IoT devices and home offices. The stakes are practical and personal: stolen credentials fuel account takeover and supply chains of fraud. Patch, reset, repeat. Small steps, big difference.

Sources: bloomberg.com