{"id":5091,"date":"2026-04-08T21:39:11","date_gmt":"2026-04-08T21:39:11","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/04\/08\/us-thwarts-dns-hijacking-network-controlled-by-russian-apt28-hackers\/"},"modified":"2026-04-08T21:39:11","modified_gmt":"2026-04-08T21:39:11","slug":"us-thwarts-dns-hijacking-network-controlled-by-russian-apt28-hackers","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/04\/08\/us-thwarts-dns-hijacking-network-controlled-by-russian-apt28-hackers\/","title":{"rendered":"US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers"},"content":{"rendered":"
\n

A large-scale network of internet routers compromised by Russian hacking group APT28 to harvest credentials from victims of intelligence value has been taken down in the US.<\/p>\n

The US Department of Justice (DoJ) announced on April 7, that it teamed up with the FBI to neutralize the US portion of the domain name system (DNS) hijacking network, which spanned across over 23 US states.<\/p>\n

The scheme was also detailed on April 7 in reports by both the UK\u2019s National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence.<\/p>\n

In several campaigns dating back to 2024, APT28 has been exploiting vulnerabilities in small office\/home office (SOHO) routers \u2013 and especially TP-Link routers \u2013 to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations.<\/p>\n

Both the UK and US government agencies attributed APT28 to Russia\u2019s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165.<\/p>\n

David Metcalf, the US Attorney for the Eastern District of Pennsylvania, said: \u201cRussian military intelligence once again hijacked Americans\u2019 hardware to commandeer critical data. In the face of continued aggression by our nation-state adversaries, the US government will respond just as aggressively.\u201d<\/p>\n

Operation Masquerade: Hijacking the DNS Hijacking Network<\/strong><\/h2>\n

The US effort, dubbed \u201cOperation Masquerade,\u201d was led by FBI Boston after authorization by a court.<\/p>\n

As described in court documents, unsealed in the Eastern District of Pennsylvania, the FBI developed a series of commands to send to US-based routers compromised by APT28.<\/p>\n

These commands were designed to collect evidence regarding the threat group\u2019s activity, reset DNS settings \u2013 remove DNS resolvers installed by APT28 and force routers to obtain legitimate DNS resolvers from their internet service providers (ISPs) \u2013 and to prevent the hackers from exploiting the original means of unauthorized access.<\/p>\n

After testing the operation \u201cextensively\u201d on firmware and hardware for affected TP-Link routers, the DoJ confirmed it did not impact the routers\u2019 normal functionality or collect the legitimate users\u2019 content information.<\/p>\n

\u201cThe court-authorized steps to remediate compromised routers can be reversed by legitimate users at any time through factory resets with hardware reset buttons,\u201d said the DoJ statement.<\/p>\n

\u201cLegitimate users can also reverse changes by logging into web management pages and restoring desired settings (e.g.<\/em>, factory default settings).\u201d<\/p>\n

The FBI is now working with ISPs to provide notice of the operation to users of SOHO routers covered by the court\u2019s authorization.<\/p>\n

Operation Masquerade involved several agencies, including the Philadelphia Field Offices and Cyber Division, the US Attorney\u2019s Office for the Eastern District of Pennsylvania and the National Security Division\u2019s National Security Cyber.<\/p>\n

It also benefited from the collaboration of several private-sector partners, including Lumen\u2019s Black Lotus Labs, Microsoft Threat Intelligence and the MIT Lincoln Laboratory.<\/p>\n

Brett Leatherman, Assistant Director of FBI\u2019s Cyber Division, commented: \u201cGRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough.\u201d<\/p>\n

John A. Eisenberg, Assistant Attorney General for National Security, called the Russian campaign \u201ca serious and persistent threat\u201d and said his department will \u201ccontinue to use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our nation\u2019s networks.\u201d<\/p>\n

SOHO Router Users Urged to Remediate the Threat<\/strong><\/h2>\n

The DoJ urged users who believe they have a compromised router to contact their local FBI field office or file a report with the FBI\u2019s Internet Crime Complaint Center (IC3).<\/p>\n

They are also advised to take the following steps:<\/p>\n