Russian APT28 Executes Large-Scale DNS Hijacking Campaign Through Compromised Consumer Router Infrastructure

The Russian military intelligence unit known as APT28 (also called Forest Blizzard) has executed a sophisticated cyber espionage campaign by compromising vulnerable consumer and small office routers to conduct DNS hijacking operations and harvest Microsoft Office authentication tokens on a massive scale.

Technical Operation Details

The campaign exploited known security flaws in older MikroTik and TP-Link internet routers to establish a global network of compromised devices. Russian hackers used these hijacked routers to redirect DNS queries and mass harvest authentication tokens from Microsoft Office applications, providing persistent access to corporate and government communications.

The UK's National Cyber Security Centre (NCSC) and Microsoft collaborated to document the ongoing cyber espionage campaign, which specifically targeted vulnerable network routers in small office and home office (SOHO) environments. The operation demonstrates Russia's systematic approach to exploiting consumer-grade infrastructure for intelligence collection purposes.

US Government Response Operation

On April 7, 2026, the Department of Justice and FBI announced a court-authorized technical operation to neutralize the US portion of the compromised router network. This represents a significant escalation in active defense measures, with US authorities directly intervening to disrupt foreign intelligence infrastructure operating on American soil.

The Justice Department's operation specifically targeted the network of small office routers that had been coopted by Russian military intelligence units. This technical disruption demonstrates the US government's willingness to take proactive measures against state-sponsored cyber espionage infrastructure, even when it involves manipulating privately-owned network equipment.

Global Infrastructure Targeting

The Russian operation targeted routers across multiple countries, creating an international network of compromised devices that could be used for persistent surveillance and data collection. The campaign's focus on authentication token theft suggests a strategic emphasis on gaining long-term access to sensitive communications and systems rather than conducting disruptive attacks.

Security researchers noted that the campaign represented a sophisticated "living off the land" approach, where attackers leverage legitimate infrastructure and commonly available hardware to conduct espionage operations while minimizing detection risks.