APT28 Hijacked SOHO Routers to Redirect Traffic and Support Espionage
British and U.S. officials said hackers linked to Russia’s GRU, including APT28/Fancy Bear and assessed as tied to Unit 26165, have run a broad campaign compromising home, small-office, ISP, and business edge devices to spy on targets and steal data. Authorities said the operators abused weak or default SNMP community strings, outdated SNMPv2 deployments, and known vulnerabilities in routers and firewalls, including some TP-Link devices, to gain access and persist on internet-facing infrastructure worldwide.
Once inside, the attackers altered router configurations to reroute traffic through infrastructure they controlled, enabling surveillance, credential interception, network mapping, and adversary-in-the-middle activity such as DNS manipulation and redirection to fraudulent sites. Recent reporting said investigators disrupted a Russia-backed espionage network spanning roughly 18,000 devices, while UK guidance urged organizations to lock down management interfaces, disable or restrict SNMP, upgrade protocols, and apply security updates to exposed edge equipment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
US disrupts Russia-backed espionage network spanning 18,000 devices
Federal authorities disrupted a widespread espionage infrastructure linked to the Russian campaign that reportedly spanned about 18,000 compromised devices. The action was presented as an effort to quash attacker-controlled infrastructure used to hijack internet traffic and support surveillance operations.
Authorities attribute router campaign to GRU-linked APT28
British officials later assessed with high confidence that the activity was tied to APT28, also known as Fancy Bear or BlueDelta, specifically GRU Unit 26165. Officials said the operators abused weak or default SNMP community strings, outdated SNMPv2, and known edge-device vulnerabilities to alter router settings and redirect traffic.
US and UK warn of Russian router-hacking campaign
The U.S. and U.K. governments publicly warned that Russian state-backed hackers were compromising home, business, ISP, and infrastructure routers worldwide for espionage and data theft. The campaign was described as targeting network devices to enable surveillance and credential interception.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Feds quash widespread Russia-backed espionage network spanning 18,000 devices | CyberScoop
cyberscoop.com
Open sourceUK exposes Russian cyber unit hacking home routers to hijack internet traffic | The Record from Recorded Future News
therecord.media
Open sourceUS and UK blame Russia for 'malicious' cyber-offensive | Cyberwar | The Guardian
theguardian.com
Open sourceRussian hackers mass-exploit routers in homes, govs, and infrastructure - Ars Technica
arstechnica.com
Open sourceRussian hackers are attacking home routers, ISPs and business firewalls to spy and steal data, warns US, UK | ZDNET
zdnet.com
Open sourceU.S., British governments warn businesses worldwide of Russian campaign to hack routers - The Washington Post
washingtonpost.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Router DNS Hijacking Campaign Disrupted by FBI
The FBI disrupted an **APT28** operation that compromised internet-connected routers to enable **DNS hijacking**, according to reporting citing U.S. and UK government findings. The campaign abused vulnerable edge devices to alter DNS settings and redirect traffic, giving the Russian state-linked group a way to intercept victim communications, harvest credentials, and support follow-on espionage activity. The activity was significant enough to prompt public warnings from the FBI and the UK **NCSC**, which described router exploitation as a key enabler for the hijacking operations. Government guidance tied the operation to exploitation of routers exposed to the internet and urged organizations to harden perimeter infrastructure by patching devices, restricting remote administration, rotating credentials, and reviewing DNS configurations for unauthorized changes. The disclosures underscore how Russian espionage actors continue to rely on stealthy network-level tradecraft—using compromised infrastructure rather than malware alone—to persist in victim environments and covertly redirect or monitor traffic.
May 25, 2026
FBI disrupts GRU router botnets used for espionage and DNS hijacking
The FBI and Justice Department said they disrupted multiple Russian GRU operations that hijacked small office/home office routers to conceal espionage activity, proxy malicious traffic, and steal credentials. In one court-authorized action, **Operation Dying Ember**, agents remotely accessed hundreds of compromised **Ubiquiti EdgeOS** routers infected with **Moobot**, deleted malware and related files, and temporarily changed firewall rules to cut off **APT28**—also tracked as **Fancy Bear**, **Sednit**, and **Forest Blizzard**—without disrupting normal device use. Officials said the botnet had originally been built by cybercriminals abusing internet-exposed routers with default administrator passwords before being repurposed by Russia’s **GRU Unit 26165**. U.S. authorities later said a related GRU campaign also compromised SOHO routers, including **TP-Link** devices, to alter **DNS** settings and conduct adversary-in-the-middle attacks against **TLS** sessions, including Outlook traffic, in operations affecting government, IT, telecommunications, and energy targets. In **Operation Masquerade**, the FBI sent commands to infected routers to collect forensic data and reset malicious DNS configurations, removing Russian access from the devices. Microsoft and U.S. agencies linked the activity to APT28 and warned that router compromises can enable traffic redirection, credential theft, malware delivery, and denial-of-service attacks, urging organizations to patch firmware, verify DNS settings, disable unnecessary remote management, and replace end-of-life hardware.
Jun 15, 2026
Authorities Disrupt APT28 Router DNS Hijacking Used to Steal Microsoft 365 Credentials
Authorities and private-sector partners disrupted an **APT28** campaign known as **FrostArmada** that hijacked DNS traffic on compromised SOHO routers to steal Microsoft 365 credentials and OAuth tokens. Investigators said the operation abused **MikroTik**, **TP-Link**, some **Nethesis**, and older **Fortinet** devices, redirecting authentication traffic through attacker-controlled VPS infrastructure to perform adversary-in-the-middle interception. Microsoft and Lumen Black Lotus Labs traced the activity, identified victims, and supported action by the **FBI**, the **U.S. Department of Justice**, and Polish authorities to take malicious infrastructure offline. At its peak in December 2025, the campaign had infected about **18,000 devices in 120 countries** and affected government agencies, law enforcement, IT and hosting providers, and organizations running their own servers. The disruption comes amid broader warnings that Russia-linked **Fancy Bear**—also tracked as **APT28**, **Forest Blizzard**, and **Pawn Storm**—continues global cyber-espionage and disruptive operations. Recent reporting tied the group not only to router-based DNS hijacking, including abuse of TP-Link devices and exploitation of **`CVE-2023-50224`**, but also to **NTLMv2** hash relay attacks leveraging Outlook flaw **`CVE-2023-23397`** and malware activity targeting Ukraine’s defense supply chain and allied countries. Security guidance from Microsoft, the UK NCSC, researchers, and government agencies urged organizations to harden routers, patch internet-facing systems, enable MFA, reduce external exposure, remove end-of-life equipment, and adopt certificate pinning and zero-trust controls to limit credential theft and follow-on compromise.
Apr 10, 2026