Russian APT28 Executes Large-Scale DNS Hijacking Campaign Through Compromised Consumer Router Infrastructure

Military Intelligence Unit Deploys SOHO Router Exploitation to Steal Microsoft Authentication Tokens in Global Cyber Espionage Operation

The Russia-linked threat actor APT28, also known as Forest Blizzard and associated with Russian military intelligence units, has been identified conducting an extensive DNS hijacking campaign targeting consumer and small office/home office (SOHO) routers. The operation represents a significant escalation in state-sponsored cyber espionage capabilities, utilizing compromised router infrastructure to harvest Microsoft Office authentication tokens on a global scale.

Technical Infrastructure and Methods

According to joint analysis by the UK's National Cyber Security Centre (NCSC) and Microsoft, APT28 has compromised vulnerable MikroTik and TP-Link routers to establish persistent network access for intelligence collection. The threat actors are exploiting known vulnerabilities in older Internet router models to mass harvest authentication credentials from Microsoft Office applications and other enterprise systems.

DNS Hijacking Operations

The campaign involves sophisticated DNS hijacking techniques where compromised routers redirect legitimate traffic to attacker-controlled infrastructure. This allows APT28 operatives to intercept authentication tokens, potentially providing access to corporate email systems, cloud storage, and other Microsoft Office 365 services used by target organizations.

US Government Response Operations

The Department of Justice and FBI have announced a court-authorized technical operation to neutralize the US portion of the compromised router network. The disruption effort represents a coordinated response to what officials characterize as a network controlled by Russian military intelligence units, demonstrating the scale and sophistication of the ongoing cyber espionage campaign.

Global Intelligence Implications

The router-based attack infrastructure provides APT28 with persistent access to target networks while maintaining operational security through the use of compromised consumer devices. This methodology allows Russian intelligence services to conduct long-term surveillance operations against Western government agencies, defense contractors, and technology companies without deploying more detectable malware.

Attribution and Strategic Context

Intelligence assessments link this campaign directly to Russia's military intelligence apparatus, representing continued escalation in state-sponsored cyber operations targeting allied nations' critical infrastructure and government systems. The use of consumer router infrastructure demonstrates sophisticated tradecraft designed to evade traditional cybersecurity defenses.