MikroTik
Latvian networking equipment manufacturer whose SOHO routers were exploited by APT28 for DNS hijacking in Microsoft 365 credential theft.
Last refreshed: 17 April 2026 · Appears in 1 active topic
Are MikroTik routers being actively targeted by Russian military intelligence?
Timeline for MikroTik
Mentioned in: GRU hijacks home routers for M365 logins
Cybersecurity: Threats and Defences- Are MikroTik routers safe to use after the APT28 warning?
- NCSC's April 2026 advisory named MikroTik among the router models exploited by APT28. Mitigation is to update RouterOS to the latest firmware and change default admin credentials. With patches applied and admin access secured, the specific CVE-based attack vector is addressed.Source: NCSC PSA260407
Background
Multiple MikroTik router models were identified in the NCSC advisory of 7 April 2026 as hardware compromised by APT28 (GRU Unit 26165) in its SOHO router DNS hijacking campaign targeting Microsoft 365 credentials. MikroTik devices were targeted alongside TP-Link WR841N and other consumer routers in a campaign operating since 2024.
MikroTik is a Latvian networking equipment company that produces networking hardware and its RouterOS operating system. Its products are popular in small business and ISP environments, and are widely deployed as home office routers in Europe. RouterOS's more advanced feature set compared to typical consumer routers may make MikroTik devices attractive targets because they offer more powerful DNS and routing manipulation capabilities once compromised.
For organisations with European remote-working staff, MikroTik's prevalence as a European alternative to Asian consumer networking hardware means the APT28 campaign affects a significant subset of home-office deployments. The NCSC's recommended mitigations (firmware update, changed admin credentials, admin interface exposure audit) apply to MikroTik devices as they do to TP-Link hardware.