APT28 Turns Your Router into a Spy Platform
Russia's GRU military intelligence has been operating a sophisticated DNS hijacking campaign through compromised small-office/home-office (SOHO) routers — primarily MikroTik and TP-Link devices — to conduct credential theft and cyber espionage against military, government, and critical infrastructure targets globally.
The campaign, codenamed Operation FrostArmada by Lumen Black Lotus Labs, was publicly disclosed on April 7, 2026 through a joint advisory co-authored by the UK NCSC, CISA, NSA, FBI, and 15+ partner nations including Canada, Germany, and Ukraine. The same day, the U.S. Department of Justice and FBI announced a court-authorized technical operation to disrupt the infrastructure.
Attribution: APT28 / Forest Blizzard / Fancy Bear
The operation is attributed to APT28 (also known as Forest Blizzard, Fancy Bear, Strontium, and Sofacy) — GRU Military Unit 26165 (85th GTsSS). APT28 is among the most prolific state-sponsored threat actors globally, with a track record spanning the 2016 U.S. election interference, the NotPetya deployment, and numerous campaigns against NATO member states.
The campaign has been active since at least May 2025, with advisory data suggesting continuous refinement of the DNS hijacking methodology throughout the operation.
Attack Methodology: Poisoning at the Infrastructure Layer
APT28's technique is notable for its position in the network stack — rather than compromising individual endpoints, the group targets the DNS resolution infrastructure itself.
Stage 1: Router Compromise
Attackers exploit known vulnerabilities in SOHO devices to gain administrative control:
- TP-Link routers: CVE-2023-50224 (and related firmware vulnerabilities) used to gain unauthenticated root access
- MikroTik RouterOS: Exploits targeting exposed Winbox management interfaces and default credential abuse
Many of the targeted devices are end-of-life or unpatched, running firmware that has not received security updates in years.
Stage 2: DNS Server Replacement
Once inside the router, APT28 modifies the DHCP and DNS server configuration to point to actor-controlled malicious DNS servers hosted on overseas VPS infrastructure. The change propagates automatically to all devices on the network that obtain their DNS settings via DHCP — laptops, phones, tablets, and IoT devices alike inherit the poisoned configuration without any indication to end users.
Stage 3: Attacker-in-the-Middle Credential Harvest
When a device on the compromised network sends a DNS query for a targeted domain (Microsoft 365 login, government email portals, VPN gateways), the malicious DNS server returns the IP of an APT28-controlled attacker-in-the-middle (AitM) node instead of the legitimate server.
The AitM node:
- Presents a legitimate-looking TLS certificate for the targeted domain (obtained via Let's Encrypt or similar)
- Relays traffic to the real server, functioning as a transparent proxy
- Harvests credentials, session tokens, email content, and browsing data from the intercepted sessions
- Operates silently — users see no warning unless they inspect certificates carefully
User Device → [Poisoned DNS] → APT28 AitM Node → Legitimate Server
↓
Harvests credentials,
tokens, email content
Scale and Targets
Microsoft confirmed the impact extends to:
- 200+ organizations — including military units, government agencies, and critical infrastructure operators
- 5,000+ consumer devices — broader indiscriminate compromise used for infrastructure and cover
Geographic targeting focused heavily on Ukraine (where MikroTik routers were interactively targeted following the invasion), with additional victims across the United States, NATO member states, and allied nations.
The campaign appears to prioritize:
- Defense contractors and military supply chains
- Government email and communications infrastructure
- Critical infrastructure operators (energy, utilities, transport)
- Media organizations covering the Russia-Ukraine conflict
Law Enforcement Response: Operation Masquerade
In a court-authorized technical operation called Operation Masquerade, the FBI and DOJ:
- Identified compromised routers on U.S. soil through collaboration with ISPs
- Obtained judicial authorization to remotely access those devices
- Reset the DNS configurations to legitimate servers, severing the AitM connection
- Notified affected device owners through ISP partners
The advisory was simultaneously released by 17 national cybersecurity agencies, one of the broadest coordinated disclosure efforts in recent years.
Indicators and Detection
Signs of DNS Hijacking on Your Router
- DNS server addresses in router admin panel changed to unfamiliar IPs
- Unexpected SSL/TLS certificate warnings on sites that previously loaded without errors
- Unexplained authentication failures with MFA challenges for known-good accounts
- Email clients reporting certificate changes for mail servers
For Network Defenders
- Audit router configurations for unauthorized DNS server changes — especially on SOHO equipment
- Monitor DNS query logs for requests to unfamiliar name servers from internal devices
- Alert on certificate changes for high-value domains (M365, email gateways, VPN portals)
- Implement DNS over HTTPS (DoH) or DNS over TLS (DoT) on managed endpoints to bypass local DNS poisoning
Recommended Actions
For Home and Small Office Users
- Update router firmware immediately — check the manufacturer's support page for your model
- Change default admin credentials — use a strong, unique password for the router admin interface
- Disable remote management (WAN-facing admin access) unless actively required
- Replace end-of-life routers — if your device no longer receives firmware updates, replace it
For Organizations
- Inventory all SOHO/consumer-grade routers in corporate environments — these are often unmanaged
- Deploy DNS monitoring to detect unauthorized resolver changes
- Enforce certificate pinning or HSTS preloading for critical internal services
- Use out-of-band authentication (hardware tokens) for privileged access — session tokens intercepted at the DNS layer remain valid
- Segment the network so SOHO devices cannot reach corporate infrastructure directly
References
- The Hacker News — Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
- UK NCSC — APT28 Exploit Routers to Enable DNS Hijacking Operations
- DOJ — Court-Authorized Disruption of DNS Hijacking Network Controlled by Russian Military Intelligence
- BleepingComputer — Authorities Disrupt Router DNS Hijacks Used to Steal Microsoft 365 Logins
- SecurityWeek — US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking