Russian Military Hackers Exploit Home and Office Routers in Global DNS Hijacking Campaign
Russian Military Hackers Exploit Home and Office Routers in Global DNS Hijacking Campaign
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Russian Military Hackers Exploit Home and Office Routers in Global DNS Hijacking Campaign
The FBI, NSA, and UK’s NCSC jointly warn that APT28 — a unit within Russia’s GRU — has been silently rerouting internet traffic through thousands of compromised TP-Link routers, harvesting passwords and spying on military, government, and critical infrastructure targets worldwide.
TP-Link SOHO routers compromised by Russian GRU Unit 26165 / APT28
On April 7, 2026, the United States Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Department of Justice (DoJ), and the United Kingdom’s National Cyber Security Centre (NCSC) issued a coordinated joint advisory warning the public that Russian military intelligence hackers had been quietly compromising thousands of small-office and home-office (SOHO) routers across the globe — and using them as instruments of large-scale espionage.
The operation, attributed to GRU Unit 26165 — widely tracked by the cybersecurity industry as APT28, Fancy Bear, and Forest Blizzard — exploited known software vulnerabilities in TP-Link routers to poison DNS settings, redirecting victims’ internet traffic through actor-controlled servers without their knowledge. Alongside the FBI and NSA, international partners from 15 countries — including Canada, Germany, Poland, Estonia, and Ukraine — co-signed the alert, making it one of the most broadly endorsed state-actor attributions in recent memory.
A Russian state-sponsored threat actor operating under the GRU’s 85th Main Special Service Center (85th GTsSS). APT28 has a documented history of high-profile intrusions, including the 2015 attack on the German Bundestag and an attempted attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) in 2018. The group is assessed by Western intelligence agencies to conduct espionage primarily targeting government, military, and critical infrastructure entities.
How the Attack Works
The method at the heart of this campaign is DNS (Domain Name System) hijacking, combined with an Adversary-in-the-Middle (AitM) technique. DNS is the internet’s address book — when you type a website address, your router asks a DNS server to translate it into a numeric IP address. By taking control of that translation process, the attackers can silently intercept and redirect your traffic before it reaches its real destination.
According to the FBI, APT28 exploited a known vulnerability — CVE-2023-50224 — present in the TP-Link WR841N router model. This flaw allows an unauthenticated attacker to send specially crafted HTTP requests to extract login credentials from the device. Once credentials are obtained, a second request rewrites the router’s DNS settings, pointing them at IP addresses controlled by the GRU.
Forest Blizzard gained access to SOHO devices then altered their default network configurations to use actor-controlled DNS resolvers. This malicious re-configuration resulted in thousands of devices sending their DNS requests to actor-controlled servers.
— Microsoft Threat Intelligence DivisionOnce a router is compromised, every device connected to it — laptops, phones, smart TVs — automatically inherits the poisoned DNS settings. From that point, lookups for specific domains (especially webmail and authentication login pages) are quietly resolved to fake, actor-owned servers designed to capture credentials and unencrypted communications. Lumen Technologies’ Black Lotus Labs, which tracked the campaign internally as FrostArmada, reported that at the peak of activity in December 2025, over 18,000 unique IP addresses across at least 120 countries were communicating with APT28’s infrastructure.
Who Was Targeted?
While SOHO routers — commonly found in homes and small offices — were the point of entry, the end targets were far from ordinary. The FBI stated the GRU “indiscriminately compromised a wide pool of U.S. and global victims” before filtering down to focus on “information related to military, government, and critical infrastructure.” The operation primarily targeted government agencies, including ministries of foreign affairs, law enforcement bodies, and third-party email providers used by sensitive organisations.
The NCSC described the initial DNS hijacking phase as “opportunistic in nature,” meaning APT28 first cast a wide net — exploiting any vulnerable router they could reach — then systematically filtered the captured traffic to identify high-value targets for deeper intrusion. This approach provides, as Microsoft noted, “a means of large-scale, continuous, and inconspicuous reconnaissance.”
The court-authorized FBI disruption operation neutralized part of the malicious network within the United States. However, the NSA’s warning is written in the present tense, calling for “immediate defensive action” — a signal that the threat is not fully neutralized. APT28 may have pivoted to other infrastructure or router models not yet publicly disclosed.
Which Routers Are Affected?
The NCSC published a list of 23 TP-Link router models targeted in this campaign. According to TP-Link Systems, all listed models have reached End of Service and Life (EOSL) status “several years ago” and are outside the company’s standard maintenance lifecycle. However, TP-Link stated it has “developed security updates for select legacy models where technically feasible.” The company strongly recommends that users still running these devices upgrade to a current, supported model.
One model — the TP-Link WR841N — is specifically identified in the FBI’s advisory as the device exploited using CVE-2023-50224. This router has been on the market since 2007 and remains one of the best-selling budget routers globally, making it a significant exposure point for consumers.
★ Specifically named in FBI advisory with known CVE. Note: NCSC states this list may not be exhaustive. MikroTik routers were also involved in the second activity cluster.
Timeline
The exact starting point of this campaign remains somewhat debated between agencies. The FBI’s public service announcement states attacks began “since at least 2024,” while Microsoft Threat Intelligence assessed that the infrastructure deployment specifically began “since at least August 2025,” shortly after the UK announced sanctions against Russian hackers connected to a separate campaign named “Authentic Antics.” Lumen’s tracking of the FrostArmada campaign aligns with the August 2025 start for the infrastructure phase. The joint advisory itself was published on April 7, 2026, coinciding with the DoJ and FBI announcing a court-authorized disruption of U.S.-based portions of the network.
What You Should Do Right Now
Both U.S. and UK agencies have issued clear guidance for individuals and organisations. If you own any of the listed TP-Link models — or any router you haven’t updated in more than a year — treat the following steps as urgent:
Recommended Mitigation Steps
- Replace any end-of-life or end-of-support router with a currently supported model. Devices that no longer receive security patches cannot be adequately defended.
- Update to the latest available firmware immediately. Visit the TP-Link official download centre and check your model for any available security patches.
- Verify the authenticity of DNS resolver addresses listed in your router’s DHCP settings. They should match your ISP’s assigned DNS or a reputable public DNS (e.g. 1.1.1.1 or 8.8.8.8) — not unfamiliar IP addresses.
- Change your router’s default administrator username and password to a strong, unique credential. This removes a primary attack vector used in CVE-2023-50224.
- Disable remote management interfaces exposed to the public internet. If you don’t need to manage your router remotely, turn the feature off entirely.
- Organisations supporting remote work should review VPN policies and consider requiring employees to upgrade outdated personal devices used for remote access to sensitive systems.
- If you suspect compromise, report the activity to your local FBI field office or file a complaint at ic3.gov, including your device type and current DHCP configuration details.
Daniel Dos Santos, head of research at security firm Forescout, has noted that “attacks targeting routers have become a major trend in recent years” — encompassing not only consumer-grade home routers but enterprise networking equipment as well. The breadth and sophistication of the APT28 campaign underscores that risk.
For now, the most effective immediate action any user can take is straightforward: check your router model against the list above, verify your DNS settings, update your firmware, and change your password. If your device is no longer receiving updates, replace it. A router that cannot be patched is a liability that state-sponsored attackers are actively scanning for.
