State Hackers, Corporate Spies and the Tech You Can't Trust
Editorial digest April 09, 2026
Last updated : 13:14
The internet was supposed to connect us. Instead, it turns out it's been connecting us — to Russian military intelligence, to Iranian saboteurs, to LinkedIn's surveillance machinery, and to a Silicon Valley AI race that's quietly abandoning every promise it made about openness. This week's tech news isn't about gadgets. It's about control.
---
APT28 is in your router right now
Eighteen thousand to forty thousand home and small-office routers. That's the scale of the latest confirmed campaign by APT28 — the hacking arm of Russia's GRU military intelligence agency, the same unit behind the 2016 US election interference and the hack of Germany's Bundestag. Researchers at Lumen Technologies' Black Lotus Labs confirmed this week that the group has wrangled this botnet across 120 countries, targeting devices from MikroTik and TP-Link — brands that fill broadband closets across Britain.
The method is precise and patient. A small cluster of compromised routers act as relays, proxied into the networks of foreign ministries, law enforcement agencies, and government departments that APT28 actually wants to penetrate. The attack vector isn't sophisticated malware — it's DNS manipulation. Your router silently redirects lookups for Microsoft 365 services, harvesting credentials before passing traffic along. You'd notice nothing.
This matters beyond espionage. APT28 has operated for two decades. It doesn't innovate recklessly — it scales proven techniques to new targets. Consumer hardware was always the soft underbelly. It remains unpatched, forgotten, and trusted completely by the devices behind it.
---
Iran takes the fight to the grid
Across the Atlantic, a separate campaign with a different sponsor is crossing a more consequential threshold. Six US agencies — the FBI, NSA, CISA, EPA, Department of Energy, and Cyber Command — issued a joint advisory this week warning that an Iranian-linked APT group has been actively disrupting programmable logic controllers at critical infrastructure sites since at least March 2026. Water treatment plants. Energy facilities. Government services.
PLCs are the connective tissue between software automation and physical machinery. When they fail, things don't just go offline — they break. The advisory confirms that some victims have already experienced "operational disruption and financial loss."
The timing is deliberate. The US and Iran are nominally in a two-week ceasefire; Iran is simultaneously demanding cryptocurrency tolls from oil tankers passing through the Strait of Hormuz. The digital offensive runs parallel to the economic pressure. This is hybrid warfare made explicit — and the infrastructure targeted is the kind that every allied nation, including Britain, shares architectural lessons with.
---
LinkedIn was watching your plugins
Set aside state actors for a moment and consider the surveillance operating inside platforms you use every day. LinkedIn, it emerged this week, has been quietly scanning users' installed browser extensions. Not malicious ones — all of them. Two class action lawsuits were filed Monday in a California federal court, following a detailed report by German advocacy group Fairlinked that documented the practice.
LinkedIn's defence is that it was hunting for a specific extension that scraped user data in breach of its terms. The argument has some logic, but it concedes the point that critics are making: the platform believed it had the right to inventory your browser environment without telling you. That's a significant assumption of access — and it explains why the legal claims focus not just on what LinkedIn found, but on the fact that it looked at all.
The episode is a useful corrective to the idea that surveillance is something governments do. Platforms have been building parallel intelligence capabilities for years, justified by terms of service agreements that almost no one reads. GDPR was supposed to constrain this in the UK and EU. The LinkedIn case suggests the boundaries remain contested.
---
Meta abandons Llama. The open AI era may be ending.
One story that deserves more attention than it's received: Meta this week launched Muse Spark, the first model from its Superintelligence Labs — a clean break from the Llama family that made the company the standard-bearer for open-source AI. Spark is proprietary. It's trained on Instagram, Facebook, and Threads content. It will surface Reels and photos directly in responses.
The framing is "personal superintelligence for everyone." The reality is a closed model, fed by the largest social content corpus in existence, integrated into the most surveilled advertising ecosystem on earth.
Mark Zuckerberg promises open-source releases will follow. But the flagship product — the one that defines what Meta's AI actually is — is locked. Just days earlier, Anthropic launched Claude Mythos, a cybersecurity model restricted to vetted partners including Amazon, Apple, and Microsoft. Two of the AI industry's most significant releases this week are not available to the public.
The open AI moment, briefly real, is receding. What replaces it is a familiar pattern: concentrated capability, selective access, and the appearance of openness as a marketing position rather than an architectural commitment.
---
What this week makes clear is that the tech stack underlying modern life — routers, infrastructure controllers, browsers, AI models — is a contested space. Governments contest it militarily. Corporations contest it commercially. The distinction between the two is blurring faster than regulation can track.
