Justice Department Disrupts Russian APT28 DNS Hijacking Network Targeting Microsoft Authentication Systems

The US Department of Justice and FBI have conducted a court-authorized technical operation to disrupt a sophisticated DNS hijacking network controlled by Russia's military intelligence unit APT28, which systematically compromised consumer routers to steal Microsoft Office authentication tokens on a global scale.

Advanced Router Exploitation Campaign

The operation, announced by the Justice Department, targeted APT28's exploitation of known vulnerabilities in older consumer and small office/home office (SOHO) routers, particularly MikroTik and TP-Link devices. The Russian threat actors, also known as Forest Blizzard, used these compromised routers to conduct mass harvesting of authentication credentials from Microsoft Office applications.

According to the UK's National Cyber Security Centre (NCSC) and Microsoft threat intelligence assessments, the campaign demonstrated unprecedented scale in targeting network infrastructure devices for credential theft operations. The attackers leveraged DNS hijacking techniques to redirect legitimate authentication requests through their controlled infrastructure, enabling systematic collection of access tokens.

Military Intelligence Coordination

Intelligence assessments confirm the operation was orchestrated by Russia's Main Intelligence Directorate (GRU), representing a significant escalation in state-sponsored cyber espionage capabilities. The use of consumer networking equipment as command and control infrastructure demonstrates sophisticated operational security measures designed to evade detection and attribution efforts.

The DNS hijacking network enabled APT28 to maintain persistent access to compromised networks while appearing to operate through legitimate networking equipment. This technique allowed the Russian operators to blend malicious traffic with normal network communications, significantly complicating detection and response efforts by cybersecurity teams.

Global Infrastructure Impact

Cybersecurity researchers noted that the campaign targeted vulnerable routers across multiple countries, creating a distributed infrastructure for intelligence collection operations. The systematic exploitation of consumer-grade networking equipment highlights critical vulnerabilities in the global internet infrastructure that state actors are increasingly leveraging for espionage purposes.

The Justice Department's disruption operation represents the first successful court-authorized takedown of a Russian military intelligence cyber infrastructure in 2026, demonstrating enhanced coordination between law enforcement and intelligence agencies in countering state-sponsored cyber threats.