APT28 Router DNS Hijacking Campaign Disrupted by FBI
The FBI disrupted an APT28 operation that compromised internet-connected routers to enable DNS hijacking, according to reporting citing U.S. and UK government findings. The campaign abused vulnerable edge devices to alter DNS settings and redirect traffic, giving the Russian state-linked group a way to intercept victim communications, harvest credentials, and support follow-on espionage activity. The activity was significant enough to prompt public warnings from the FBI and the UK NCSC, which described router exploitation as a key enabler for the hijacking operations.
Government guidance tied the operation to exploitation of routers exposed to the internet and urged organizations to harden perimeter infrastructure by patching devices, restricting remote administration, rotating credentials, and reviewing DNS configurations for unauthorized changes. The disclosures underscore how Russian espionage actors continue to rely on stealthy network-level tradecraft—using compromised infrastructure rather than malware alone—to persist in victim environments and covertly redirect or monitor traffic.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
FBI disrupts APT28 router-based DNS hijacking network
By 2026-04-08, reporting indicated that the FBI had disrupted an APT28 operation that exploited routers to enable DNS hijacking. An accompanying NCSC reference indicates official attention to APT28's router exploitation tradecraft in support of these operations.
FireEye publicly documents APT29's TOR domain-fronting tradecraft
On 2017-03-27, FireEye published technical details on APT29's use of TOR, meek domain fronting, fake Google-themed directories, port forwarding of RDP/SMB-related services, Sticky Keys abuse, and a 'Google Update' persistence service. The report highlighted how the technique hindered network detection and emphasized the need for endpoint visibility.
APT29 uses TOR domain fronting to maintain covert access
FireEye reported that APT29 had used TOR with the meek domain-fronting plugin for at least two years to preserve stealthy backdoor access in victim environments. The traffic was made to resemble legitimate HTTPS connections to Google services while tunneling attacker communications through TOR.
Sources
4 references tracked. Mallory keeps watching after this page renders.
APT28 DNS Hijacking: FBI Disrupts Router Attack Network
thecyberexpress.com
Open sourceAPT29 Domain Fronting With TOR " APT29 Domain Fronting With TOR | FireEye Inc
web.archive.org
Open sourceAPT29 Domain Fronting With TOR | FireEye Inc
fireeye.com
Open sourceNcsc Blog
ncsc.gov.uk
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Hijacked SOHO Routers to Redirect Traffic and Support Espionage
British and U.S. officials said hackers linked to Russia’s GRU, including **APT28**/**Fancy Bear** and assessed as tied to **Unit 26165**, have run a broad campaign compromising home, small-office, ISP, and business edge devices to spy on targets and steal data. Authorities said the operators abused weak or default **SNMP** community strings, outdated `SNMPv2` deployments, and known vulnerabilities in routers and firewalls, including some **TP-Link** devices, to gain access and persist on internet-facing infrastructure worldwide. Once inside, the attackers altered router configurations to reroute traffic through infrastructure they controlled, enabling surveillance, credential interception, network mapping, and adversary-in-the-middle activity such as **DNS** manipulation and redirection to fraudulent sites. Recent reporting said investigators disrupted a Russia-backed espionage network spanning roughly **18,000 devices**, while UK guidance urged organizations to lock down management interfaces, disable or restrict SNMP, upgrade protocols, and apply security updates to exposed edge equipment.
May 25, 2026
FBI disrupts GRU router botnets used for espionage and DNS hijacking
The FBI and Justice Department said they disrupted multiple Russian GRU operations that hijacked small office/home office routers to conceal espionage activity, proxy malicious traffic, and steal credentials. In one court-authorized action, **Operation Dying Ember**, agents remotely accessed hundreds of compromised **Ubiquiti EdgeOS** routers infected with **Moobot**, deleted malware and related files, and temporarily changed firewall rules to cut off **APT28**—also tracked as **Fancy Bear**, **Sednit**, and **Forest Blizzard**—without disrupting normal device use. Officials said the botnet had originally been built by cybercriminals abusing internet-exposed routers with default administrator passwords before being repurposed by Russia’s **GRU Unit 26165**. U.S. authorities later said a related GRU campaign also compromised SOHO routers, including **TP-Link** devices, to alter **DNS** settings and conduct adversary-in-the-middle attacks against **TLS** sessions, including Outlook traffic, in operations affecting government, IT, telecommunications, and energy targets. In **Operation Masquerade**, the FBI sent commands to infected routers to collect forensic data and reset malicious DNS configurations, removing Russian access from the devices. Microsoft and U.S. agencies linked the activity to APT28 and warned that router compromises can enable traffic redirection, credential theft, malware delivery, and denial-of-service attacks, urging organizations to patch firmware, verify DNS settings, disable unnecessary remote management, and replace end-of-life hardware.
Jun 15, 2026
Authorities Disrupt APT28 Router DNS Hijacking Used to Steal Microsoft 365 Credentials
Authorities and private-sector partners disrupted an **APT28** campaign known as **FrostArmada** that hijacked DNS traffic on compromised SOHO routers to steal Microsoft 365 credentials and OAuth tokens. Investigators said the operation abused **MikroTik**, **TP-Link**, some **Nethesis**, and older **Fortinet** devices, redirecting authentication traffic through attacker-controlled VPS infrastructure to perform adversary-in-the-middle interception. Microsoft and Lumen Black Lotus Labs traced the activity, identified victims, and supported action by the **FBI**, the **U.S. Department of Justice**, and Polish authorities to take malicious infrastructure offline. At its peak in December 2025, the campaign had infected about **18,000 devices in 120 countries** and affected government agencies, law enforcement, IT and hosting providers, and organizations running their own servers. The disruption comes amid broader warnings that Russia-linked **Fancy Bear**—also tracked as **APT28**, **Forest Blizzard**, and **Pawn Storm**—continues global cyber-espionage and disruptive operations. Recent reporting tied the group not only to router-based DNS hijacking, including abuse of TP-Link devices and exploitation of **`CVE-2023-50224`**, but also to **NTLMv2** hash relay attacks leveraging Outlook flaw **`CVE-2023-23397`** and malware activity targeting Ukraine’s defense supply chain and allied countries. Security guidance from Microsoft, the UK NCSC, researchers, and government agencies urged organizations to harden routers, patch internet-facing systems, enable MFA, reduce external exposure, remove end-of-life equipment, and adopt certificate pinning and zero-trust controls to limit credential theft and follow-on compromise.
Apr 10, 2026