{"id":45230,"date":"2026-04-08T19:17:04","date_gmt":"2026-04-08T11:17:04","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/08\/us-thwarts-dns-hijacking-network-controlled-by-russian-apt28-hackers-infosecurity-magazine\/"},"modified":"2026-04-08T19:17:04","modified_gmt":"2026-04-08T11:17:04","slug":"us-thwarts-dns-hijacking-network-controlled-by-russian-apt28-hackers-infosecurity-magazine","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/08\/us-thwarts-dns-hijacking-network-controlled-by-russian-apt28-hackers-infosecurity-magazine\/","title":{"rendered":"US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers &#8211; Infosecurity Magazine"},"content":{"rendered":"<p>A large-scale network of internet routers compromised by Russian hacking group APT28 to harvest credentials from victims of intelligence value has been taken down in the US.<\/p>\n<p>The US Department of Justice (DoJ) <a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-conducts-court-authorized-disruption-dns-hijacking-network-controlled\" target=\"_blank\">announced<\/a> on April 7, that it teamed up with the FBI to neutralize the US portion of the domain name system (DNS) hijacking network, which spanned across over 23 US states.<\/p>\n<p>The scheme was also <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/russia-apt28-hijack-routers-uk-ncsc\/\" target=\"_blank\">detailed on April 7<\/a> in reports by both the UK&rsquo;s National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence.<\/p>\n<p>In several campaigns dating back to 2024, APT28 has been exploiting vulnerabilities in small office\/home office (SOHO) routers &ndash; and <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/vulnerabilities-tplink-vpn-routers\/\" target=\"_blank\">especially TP-Link routers<\/a> &ndash; to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations.<\/p>\n<p>Both the UK and US government agencies attributed APT28 to Russia&rsquo;s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165.<\/p>\n<p>David Metcalf, the US Attorney for the Eastern District of Pennsylvania, said: &ldquo;Russian military intelligence once again hijacked Americans&rsquo; hardware to commandeer critical data. In the face of continued aggression by our nation-state adversaries, the US government will respond just as aggressively.&rdquo;<\/p>\n<h2><strong>Operation Masquerade: Hijacking the DNS Hijacking Network<\/strong><\/h2>\n<p>The US effort, dubbed &ldquo;Operation Masquerade,&rdquo; was led by FBI Boston after authorization by a court.<\/p>\n<p>As described in court documents, unsealed in the Eastern District of Pennsylvania, the FBI developed a series of commands to send to US-based routers compromised by APT28.<\/p>\n<p>These commands were designed to collect evidence regarding the threat group&rsquo;s activity, reset DNS settings &ndash; remove DNS resolvers installed by APT28 and force routers to obtain legitimate DNS resolvers from their internet service providers (ISPs) &ndash; and to prevent the hackers from exploiting the original means of unauthorized access.<\/p>\n<p>After testing the operation &ldquo;extensively&rdquo; on firmware and hardware for affected TP-Link routers, the DoJ confirmed it did not impact the routers&rsquo; normal functionality or collect the legitimate users&rsquo; content information.<\/p>\n<p>&ldquo;The court-authorized steps to remediate compromised routers can be reversed by legitimate users at any time through factory resets with hardware reset buttons,&rdquo; said the DoJ statement.<\/p>\n<p>&ldquo;Legitimate users can also reverse changes by logging into web management pages and restoring desired settings (<em>e.g.<\/em>, factory default settings).&rdquo;<\/p>\n<p>The FBI is now working with ISPs to provide notice of the operation to users of SOHO routers covered by the court&rsquo;s authorization.<\/p>\n<p>Operation Masquerade involved several agencies, including the Philadelphia Field Offices and Cyber Division, the US Attorney&rsquo;s Office for the Eastern District of Pennsylvania and the National Security Division&rsquo;s National Security Cyber.<\/p>\n<p>It also benefited from the collaboration of several private-sector partners, including Lumen&rsquo;s Black Lotus Labs, <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/07\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/\" target=\"_blank\">Microsoft Threat Intelligence<\/a> and the MIT Lincoln Laboratory.<\/p>\n<p>Brett Leatherman, Assistant Director of FBI&rsquo;s Cyber Division, commented: &ldquo;GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn&#39;t enough.&rdquo;<\/p>\n<p>John A. Eisenberg, Assistant Attorney General for National Security, called the Russian campaign &ldquo;a serious and persistent threat&rdquo; and said his department will &ldquo;continue to use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our nation&rsquo;s networks.&rdquo;<\/p>\n<h2><strong>SOHO Router Users Urged to Remediate the Threat<\/strong><\/h2>\n<p>The DoJ urged users who believe they have a compromised router to contact their local FBI field office or file a report with the FBI&rsquo;s Internet Crime Complaint Center (IC3).<\/p>\n<p>They are also advised to take the following steps:<\/p>\n<ul>\n<li>Replace outdated routers: check if your router is on the manufacturer&rsquo;s end-of-life or end-of-support list and upgrade if needed<\/li>\n<li>Update router firmware: download and install the latest firmware from the official router brand&rsquo;s website<\/li>\n<li>Verify DNS settings: ensure your router&rsquo;s DNS resolvers are legitimate<\/li>\n<li>Secure remote access: disable or restrict remote management features unless absolutely necessary<\/li>\n<li>Follow official guidance: review TP-Link&rsquo;s (or your router brand&rsquo;s) security documentation for proper setup<\/li>\n<\/ul>\n<p>&ldquo;We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us,&rdquo; said FBI&rsquo;s Leatherman.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A large-scale network of internet routers compromised b [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-45230","post","type-post","status-publish","format-standard","hentry","category--infosecurity-magazine"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45230"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45230\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}