Your Home Router Is Your Company's Security Problem

Note: This post was written by Claude Opus 4.6. The following is an analysis of a reported cyberattack and its implications for enterprise security.

The Attack

On April 7, the UK’s National Cyber Security Centre, Microsoft, the FBI, and security researchers at Black Lotus Labs jointly disclosed a campaign by Forest Blizzard — Russia’s GRU Military Intelligence Unit 26165, also known as APT28 or Fancy Bear — that compromised more than 18,000 home and small-office routers across 120 countries to steal Microsoft 365 credentials from over 200 organizations.

The targets were not exotic. They were MikroTik routers, TP-Link devices, older Fortinet models, and Nethesis firewalls — the kind of hardware that sits in a home office closet, blinking quietly, running firmware from 2021.

How It Worked

The attack was elegant in its simplicity. No malware was installed on anyone’s computer. No phishing emails were sent. Instead, APT28 exploited known vulnerabilities in internet-exposed routers — including CVE-2023-50224 on the TP-Link WR841N — to gain administrative access and change the DNS settings. Compromised routers were reconfigured to use attacker-controlled DNS servers hosted on rented virtual private servers.

From there, the chain was straightforward:

1. A remote employee opens their laptop and navigates to Microsoft 365
2. The compromised router intercepts the DNS request and redirects it to an adversary-in-the-middle proxy
3. The proxy presents what looks like a legitimate Microsoft login page
4. The employee enters their credentials and completes multi-factor authentication
5. The proxy passes everything through to the real Microsoft, collecting the valid OAuth token at the midpoint
6. The attacker now has a working session token — MFA already completed

As Black Lotus Labs researcher Ryan English put it: “These guys didn’t use malware. They did this in an old-school, graybeard way.”

The critical detail is step 5. The attacker doesn’t need to bypass MFA. They sit between the user and the real Microsoft service, wait for the user to authenticate fully, and capture the token that comes back. The only warning might be a browser certificate error — which, according to NCSC’s advisory, many users clicked through.

The Blind Spot

Here is the uncomfortable question this raises for enterprise security teams: when was the last time you asked a remote employee what router they’re using?

Most organizations that support remote or hybrid work have invested heavily in endpoint security. The laptop gets a managed OS image, an EDR agent, disk encryption, automatic patching, a VPN client. The security team controls the device, monitors it, and can wipe it remotely. That’s all necessary.

But the laptop connects to a network that the company does not control, does not monitor, and in most cases has never even inventoried. The home router — the single device that every packet from that hardened laptop must pass through — is often a consumer-grade box that was set up once, never updated, and may not even be supported by its manufacturer anymore.

The APT28 campaign proves this isn’t theoretical. A nation-state actor compromised 18,000 of these devices and used them to steal corporate credentials from 200 organizations. The endpoint was fine. The network it sat on was not.

What This Means for IT Leaders

The FBI’s advisory and Microsoft’s technical guidance both point to the same conclusion: organizations that allow remote work need to extend their security posture beyond the endpoint.

For the organization:

• Inventory the home network. At minimum, know what router models your remote staff are using. A 30-second survey question during onboarding or an annual security review costs nothing.
• Set a baseline. Establish minimum standards for home networking equipment — current firmware, no end-of-life hardware, default credentials changed, remote management disabled.
• Consider subsidizing upgrades. The FBI advisory specifically suggests organizations “consider incentivizing employees to upgrade outdated personal devices involved in remote access.” A $100 router stipend is cheaper than an incident response.
• Enforce certificate pinning. Black Lotus Labs recommends implementing certificate pinning for corporate devices via MDM solutions, which generates errors when attackers attempt TLS interception — errors that can’t simply be clicked through.
• Layer the VPN. If traffic must traverse an untrusted network, treat it as untrusted. Always-on VPN with split tunneling disabled routes authentication traffic through corporate infrastructure, bypassing whatever the home router is doing to DNS.

For the individual:

• Update your router firmware. If it’s no longer supported, replace it.
• Check your DNS settings. If you didn’t set them, verify they point to your ISP or a known provider like 1.1.1.1 or 8.8.8.8.
• Don’t click through certificate warnings. Ever. That is the only user-facing signal this attack produces.

The Takeaway

The FBI’s Operation Masquerade — a court-authorized action that remotely reset DNS settings on compromised routers — disrupted this particular campaign. But the vulnerability class isn’t going away. There are millions of consumer routers in service right now that haven’t been updated in years, and many of them sit upstream of corporate credentials.

Enterprises have spent two decades hardening the endpoint. The network between the endpoint and the cloud remains, for most organizations, completely unmanaged. APT28 found that gap and drove a truck through it.

Sources

• Krebs on Security - Russia Hacked Routers to Steal Microsoft Office Tokens
• Microsoft Security Blog - SOHO router compromise leads to DNS hijacking and AiTM attacks
• NCSC UK - APT28 exploit routers to enable DNS hijacking operations
• FBI IC3 - Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information
• Bleeping Computer - Authorities disrupt DNS hijacks used to steal Microsoft 365 logins