Justice Department Disrupts Russian APT28 DNS Hijacking Network Targeting Microsoft Authentication Systems

Large-Scale DNS Hijacking Campaign Disrupted

The US Justice Department and FBI announced a court-authorized technical operation to neutralize a network controlled by Russian military intelligence unit APT28 (also known as Forest Blizzard) that was conducting large-scale DNS hijacking attacks. The operation targeted compromised consumer and small office/home office (SOHO) routers that were being used to steal Microsoft Office authentication tokens from victims worldwide.

Router Infrastructure Exploitation

Russian intelligence operatives exploited known vulnerabilities in older MikroTik and TP-Link Internet routers to build a massive botnet infrastructure for credential harvesting. The compromised routers were used to intercept and redirect DNS queries, allowing the attackers to capture authentication tokens when users accessed Microsoft Office applications and services.

According to cybersecurity researchers, the campaign demonstrated sophisticated understanding of network infrastructure vulnerabilities, with the threat actors specifically targeting consumer-grade networking equipment that typically lacks enterprise-level security monitoring and patching protocols.

Microsoft Token Harvesting Operations

The primary objective of the DNS hijacking campaign was to mass-harvest Microsoft Office authentication tokens, which could then be used to gain unauthorized access to corporate email systems, cloud storage, and other Microsoft services. This technique, known as 'living-off-the-land' exploitation, leverages legitimate authentication mechanisms to maintain persistent access to target networks.

The UK's National Cyber Security Centre (NCSC) collaborated with Microsoft to share technical details about the ongoing cyber espionage campaign, noting that the operation had been active for an extended period before detection and disruption efforts began.

International Coordination and Response

The disruption operation involved coordination between multiple agencies, including the FBI, Justice Department, and international partners. The court-authorized technical operation specifically targeted the US portion of the compromised router network, though the full scope of the international infrastructure remained under investigation.

Cybersecurity experts noted that this type of router-based attack represents an escalating trend in state-sponsored cyber operations, where threat actors compromise widely-deployed consumer devices to build resilient command and control infrastructure for intelligence collection operations.