Russian state hackers from APT28 compromised thousands of home & office routers worldwide

Russian state hackers from APT28 compromised thousands of home & office routers worldwide in a brazen DNS hijacking campaign to steal Outlook passwords and credentials — but the FBI’s Operation Masquerade has already struck back!

Joel

4/15/20263 min read

Russian APT28 (Fancy Bear / Forest Blizzard) Router Hijacking Campaign:

In a major cyber espionage operation exposed on April 7, 2026, Russian state-sponsored hackers from the advanced persistent threat group APT28 (also known as Fancy Bear, Forest Blizzard, Strontium, Sofacy, Pawn Storm, and Sednit) compromised thousands of small office/home office (SOHO) routers worldwide to hijack DNS traffic and conduct adversary-in-the-middle (AiTM) attacks.

The campaign, codenamed FrostArmada by Lumen’s Black Lotus Labs, enabled the theft of passwords, OAuth tokens, emails, and other credentials—particularly from Microsoft Outlook and related services—by redirecting internet traffic through attacker-controlled servers.

Western intelligence agencies, including the UK’s National Cyber Security Centre (NCSC), Microsoft Threat Intelligence, and the U.S. Department of Justice/FBI, attribute the activity to Russia’s Main Intelligence Directorate of the General Staff (GRU), specifically Military Unit 26165 (the 85th Main Special Service Centre, GTsSS).

What Is APT28?

APT28 is one of the most prolific Russian state-backed hacking groups, linked to the GRU since at least 2004. It has conducted high-profile operations including the 2015 cyber attack on the German parliament, attempts against the OPCW in 2018, and numerous espionage campaigns targeting governments, military, logistics, and technology sectors worldwide.

This latest campaign marks the first observed instance of APT28 (and its subgroup Storm-2754) using DNS hijacking at scale to support AiTM attacks on TLS-encrypted connections after compromising edge devices.

How the Router Hijacking Campaign Worked

The attackers followed a low-effort, high-impact approach:

  1. Initial Access: Scanned for and exploited publicly known vulnerabilities in internet-exposed SOHO routers (T1190). Primary targets included TP-Link models (especially the WR841N via CVE-2023-50224, an authentication bypass flaw allowing unauthenticated credential extraction via crafted HTTP GET requests) and MikroTik routers. Some reports also mention limited targeting of Nethesis and Fortinet firewalls.

  2. Router Compromise & Configuration Change: Gained remote administrative access, then modified DHCP and DNS settings on the routers. This forced all downstream devices (computers, phones, etc.) on the network to use attacker-controlled DNS resolvers hosted on Virtual Private Servers (VPSs). The legitimate dnsmasq utility was often used on these servers for DNS forwarding.

  3. DNS Hijacking & AiTM Attacks:

    • Most traffic was transparently proxied to legitimate destinations.

    • For high-value targets, the attackers spoofed DNS responses for specific domains (e.g., outlook.office.com, outlook.live.com, autodiscover-s.outlook.com), redirecting users to malicious infrastructure.

    • This enabled AiTM interception of unencrypted traffic, credential harvesting (passwords and OAuth tokens), and passive reconnaissance. In select cases, invalid TLS certificates were presented to capture data.

The operation was opportunistic at first—mass scanning of exposed devices—then refined to focus on intelligence-value targets in government, military, critical infrastructure, IT, telecom, and energy sectors.

Scale and Global Impact

  • Compromised thousands of routers across more than 120 countries, including over 18,000 devices in some estimates.

  • Microsoft detected impacts on more than 200 organizations and 5,000 consumer devices.

  • U.S. routers in more than 23 states were affected.

  • Activity observed since at least 2024, with large-scale DNS redirection beginning around August 2025 (following earlier NCSC reporting on related tools).

The campaign provided persistent, passive visibility into networks without directly compromising enterprise systems—leveraging less-monitored home and small-office routers often used by remote workers.

U.S. and International Response: Operation Masquerade

On April 7, 2026, the U.S. Department of Justice and FBI announced Operation Masquerade, a court-authorized technical disruption that neutralized the U.S. portion of the DNS hijacking network:

  • Commands were sent to compromised U.S. TP-Link routers to reset DNS settings (removing GRU-controlled resolvers) and restore legitimate ISP DNS.

  • The operation was tested extensively to avoid disrupting legitimate users and collected evidence of GRU activity.

  • Affected users can fully remediate via factory reset or web management interface.

International partners (UK NCSC, Microsoft, Lumen Black Lotus Labs, and others) issued coordinated advisories and technical details the same day. Germany’s BfV also confirmed domestic infections.

Official statements:

  • U.S. Assistant Attorney General John A. Eisenberg: “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.”

  • FBI Assistant Director Brett Leatherman: “Operation Masquerade demonstrates the FBI’s commitment to identifying, exposing, and disrupting the Russian government's efforts… We urge all router owners to take the remediation steps outlined today.”

Mitigation Advice for Organizations and Individuals

Security agencies recommend the following immediate actions:

  • Factory reset routers and install the latest firmware.

  • Change default usernames/passwords and never expose management interfaces to the internet.

  • Use Zero Trust DNS or enforce trusted DNS resolvers (e.g., via Windows ZTDNS).

  • Enable multifactor authentication (MFA) everywhere, especially for email and cloud services.

  • Monitor for anomalous DNS changes and risky sign-ins (Microsoft Defender for Endpoint and Entra ID provide relevant alerts).

  • Replace end-of-life routers.

Full guidance is available in the NCSC advisory, Microsoft blog, and FBI PSA.

Why This Matters

This campaign highlights how nation-state actors like APT28 are increasingly targeting everyday consumer devices as low-cost entry points into sensitive networks. Even if your corporate systems are secure, a compromised home router used by a remote employee can expose credentials and traffic.The swift disruption via Operation Masquerade shows effective public-private collaboration, but owners of affected routers must still act to prevent re-exploitation.

References:

justice.gov
microsoft.com
thehackernews.com
ncsc.gov.uk

Sources for further reading:

  • UK NCSC Advisory (April 7, 2026)

  • Microsoft Security Blog (April 7, 2026)

  • U.S. DOJ Press Release on Operation Masquerade (April 7, 2026)

  • Lumen Black Lotus Labs research on FrostArmada