APT28 Adapts Tactics with Router Hijacking and Cloud Abuse for Cyberattacks
APT28, linked to Russia's GRU, has shifted its cyberattack methods to utilize compromised consumer routers and cloud services. This evolution poses significant risks to organizations due to the stealthy nature of its operations, affecting thousands of devices across multiple countries.
Theia Market Signal Identification - AI Assisted
APT28, also known as Fancy Bear, has transitioned to using hijacked consumer-grade routers, specifically Ubiquiti EdgeRouters, for its cyber operations. This shift began in April 2022 and was part of a broader strategy, known as FrostArmada, targeting MikroTik and TP-Link routers in 2026.
Researchers noted over 18,000 unique IP addresses linked to the group, with around 200 organizations and 5,000 devices compromised. The group employs innovative tactics, including short-lived malware tools and a custom backdoor named BeardShell, using cloud services to mask communications. This adaptation of attack methods raises concerns for cybersecurity professionals, as traditional defenses may be inadequate against such stealth tactics.
Comments