The Russian-linked threat group APT28 has continued to leverage vulnerable network devices to carry out large-scale DNS hijacking campaigns, enabling adversary-in-the-middle attacks. Recent developments show that these operations have drawn direct intervention from U.S. authorities.
The U.S. Department of Justice and the FBI announced a court-authorized operation to disrupt a network of compromised routers controlled by Russia’s military intelligence unit, widely known as APT28. According to findings aligned with prior reporting from the NCSC, the group has been exploiting routers to intercept communications, harvest credentials, and target individuals and organizations of intelligence interest.
DNS Hijacking and Adversary-in-the-Middle Tactics
APT28’s operations include DNS hijacking, a technique that manipulates how domain names are resolved into IP addresses. By altering DNS settings, often at the router level, attackers redirect legitimate traffic through malicious infrastructure.
This enables adversary-in-the-middle (AitM) attacks, where victims unknowingly connect to spoofed services. These malicious endpoints are designed to imitate legitimate platforms, allowing attackers to intercept login sessions and extract sensitive data, including passwords, OAuth tokens, and emails.
Both the FBI and the NCSC have noted that these attacks can impact browser sessions and desktop applications alike, increasing the scale and effectiveness of credential harvesting.
U.S. Operation Targets APT28 Infrastructure
The disruption effort, publicly disclosed by the Department of Justice, targeted a network of small office/home office (SOHO) routers compromised by APT28, also known as Fancy Bear, Sofacy, Sednit, STRONTIUM, Forest Blizzard, and Pawn Storm. The group is widely attributed to Russia’s GRU Unit 26165.
Since at least 2024, APT28 actors have exploited known vulnerabilities to gain access to thousands of TP-Link routers globally. After stealing credentials, they modified router configurations to redirect DNS traffic to malicious servers under their control.
These operations were initially indiscriminate. However, the attackers implemented automated filtering mechanisms to identify DNS queries of intelligence value. For selected targets, the malicious DNS resolvers returned fraudulent records for domains, particularly those mimicking Microsoft Outlook services, to facilitate adversary-in-the-middle attacks against encrypted traffic.
Through this approach, APT28 was able to harvest unencrypted passwords, authentication tokens, emails, and other sensitive data from devices connected to compromised routers.
Official Statements on the Threat
U.S. officials described the campaign as both persistent and dangerous. Assistant Attorney General John A. Eisenberg stated, “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.”
U.S. Attorney David Metcalf added, “Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” emphasizing that the government would continue to respond aggressively to nation-state cyber threats.
FBI officials also stressed the scale of the campaign. Assistant Director Brett Leatherman noted that compromised routers were used globally for espionage, while Special Agent Ted E. Docks highlighted that devices across more than 23 U.S. states had been weaponized.
How the FBI Disrupted the DNS Hijacking Network
As part of the court-authorized operation, referred to as Operation Masquerade, the FBI deployed technical measures to neutralize the U.S. portion of APT28’s infrastructure.
According to court documents:
- The FBI sent commands to compromised routers to collect evidence of APT28 activity.
- Reset DNS settings, removing malicious resolvers and restoring legitimate ISP configurations.
- Blocked the actors’ ability to regain unauthorized access.
The operation was carefully tested on affected TP-Link devices to ensure that it did not disrupt normal functionality or collect user content. Importantly, the remediation steps can be reversed by users through factory resets or manual configuration changes.
Continued Router Exploitation and Infrastructure Tactics
These developments align closely with earlier findings from the NCSC, which documented how APT28 used Virtual Private Servers (VPSs) as malicious DNS infrastructure. Two main clusters were identified:
- Cluster One: Focused on modifying DHCP DNS settings in SOHO routers, enabling selective DNS hijacking and adversary-in-the-middle attacks.
- Cluster Two: Involved forwarding DNS traffic through a layered infrastructure, with some operations targeting high-value devices, including those in Ukraine.
APT28’s activity has also included exploitation of vulnerabilities such as CVE-2023-50224 in TP-Link routers, allowing attackers to extract credentials and reconfigure DNS settings via crafted HTTP requests.
Targeted Services and Indicators
APT28’s DNS hijacking campaigns have frequently targeted Microsoft Outlook-related domains, including:
- autodiscover-s.outlook[.]com
- imap-mail.outlook[.]com
- outlook.live[.]com
- outlook.office[.]com
- outlook.office365[.]com
These targets reflect a clear focus on email-based intelligence gathering. Supporting infrastructure includes numerous malicious IP ranges and identifiable server configurations, such as unusual SSH ports and “dnsmasq-2.85” DNS services.
Mitigation and Security Recommendations
Both the FBI and the NCSC recommend immediate steps to mitigate risks associated with DNS hijacking and adversary-in-the-middle attacks:
- Replace end-of-life or unsupported routers
- Update firmware to the latest available versions
- Verify DNS settings to ensure they point to legitimate resolvers
- Disable or secure remote management interfaces
- Implement firewall rules to limit exposure
- Enable multi-factor authentication (MFA) to reduce credential abuse
- Users are also encouraged to monitor their networks and report suspected compromises to appropriate authorities.
