US Dismantles APT28 DNS Hijacking Network Targeting SOHO Routers
The US DoJ and FBI have neutralized a DNS hijacking network operated by Russian APT28 hackers that compromised SOHO routers across 23 states to steal credentials.
The US Department of Justice (DoJ) and FBI announced on April 7 the takedown of a large-scale DNS hijacking network operated by Russian state-sponsored hacking group APT28. The operation, dubbed "Operation Masquerade," targeted compromised small office/home office (SOHO) routers—primarily TP-Link models—across 23 US states. Since 2024, APT28 exploited vulnerabilities in these routers to redirect traffic through attacker-controlled DNS servers, enabling credential theft from intelligence-value targets.
The campaign was attributed to APT28, part of Russia's Main Intelligence Directorate (GRU) Military Unit 26165. The UK's National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence also released reports detailing the scheme. The FBI, after obtaining court authorization, developed commands to reset DNS settings on compromised routers, removing the attackers' DNS resolvers and forcing routers to obtain legitimate resolvers from ISPs. The operation also blocked the hackers' means of unauthorized access without affecting normal router functionality.
"Russian military intelligence once again hijacked Americans' hardware to commandeer critical data," said David Metcalf, US Attorney for the Eastern District of Pennsylvania. The FBI tested the operation extensively on TP-Link firmware and hardware, confirming no impact on normal router functions. Legitimate users can reverse changes via factory reset or web management pages.
The FBI is now coordinating with ISPs to notify affected users. The DoJ urged users to replace outdated routers, update firmware, verify DNS settings, and secure remote access. Private-sector partners including Lumen's Black Lotus Labs, Microsoft Threat Intelligence, and MIT Lincoln Laboratory supported the operation.
Brett Leatherman, Assistant Director of the FBI's Cyber Division, emphasized the scale of the threat: "GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn't enough." The DoJ continues to investigate and urges anyone with compromised routers to contact the FBI or file a report with IC3.