Justice Department Disrupts Russian APT28 DNS Hijacking Network Targeting Microsoft Authentication Systems

Court-authorized operation neutralizes sophisticated router-based campaign stealing Office 365 credentials through compromised consumer devices

Large-Scale Router Exploitation Campaign

The Department of Justice and FBI announced a court-authorized technical operation to neutralize a network of compromised small office/home office (SOHO) routers controlled by Russian military intelligence unit APT28 (Forest Blizzard). The campaign targeted vulnerable MikroTik and TP-Link routers to conduct DNS hijacking operations designed to steal Microsoft Office 365 authentication tokens from government and corporate users.

Technical Operation and Scope

Russian state-linked hackers exploited known vulnerabilities in older Internet routers to mass harvest authentication credentials from Microsoft Office environments. The operation utilized compromised consumer-grade routers as infrastructure for DNS hijacking attacks, redirecting legitimate authentication requests to attacker-controlled servers designed to capture login credentials and multi-factor authentication tokens.

Attribution and Intelligence Assessment

US and UK cybersecurity agencies, including the National Cyber Security Centre (NCSC) and Microsoft, attributed the ongoing cyber espionage campaign to Russia's military intelligence units. The operation represents a sophisticated evolution in state-sponsored cyber operations, leveraging widely-deployed consumer networking equipment as persistent attack infrastructure against high-value targets.

Defensive Response and Mitigation

The court-authorized disruption operation specifically targeted the US portion of the compromised router network, demonstrating enhanced coordination between judicial and technical cybersecurity responses. The Justice Department's intervention represents an escalation in proactive cyber defense measures against foreign state-sponsored infrastructure operating within US territory.

Strategic Implications

The campaign highlights the vulnerability of consumer networking devices to state-sponsored exploitation and the evolution of advanced persistent threat groups toward infrastructure-based attacks. The Russian operation's focus on Microsoft authentication systems reflects the central role of cloud-based enterprise services in modern cyber espionage targeting.