FBI Disrupts APT28 Network Executing Large-Scale DNS Hijacking Campaigns
The recent intervention by U.S. authorities against the Russian-linked threat group APT28 marks a significant escalation in the ongoing battle against cyber threats. APT28, also known as Fancy Bear, has been exploiting vulnerable network devices to conduct extensive DNS hijacking operations, facilitating adversary-in-the-middle (AitM) attacks. The U.S. Department of Justice and the FBI have launched a court-authorized operation aimed at disrupting this malicious infrastructure, underscoring the seriousness of the threat posed by such cyber activities.
Understanding DNS Hijacking and AitM Tactics
APT28’s modus operandi involves DNS hijacking, a technique that alters how domain names are resolved into IP addresses. By manipulating DNS settings at the router level, attackers can redirect legitimate internet traffic through their malicious infrastructure. This tactic enables AitM attacks, where unsuspecting victims connect to counterfeit services that mimic legitimate platforms. Such malicious endpoints allow attackers to intercept login sessions and extract sensitive information, including passwords, OAuth tokens, and emails.
The FBI and the National Cyber Security Centre (NCSC) have highlighted that these attacks can affect both browser sessions and desktop applications, amplifying the scale and effectiveness of credential harvesting.
U.S. Operation Targets APT28 Infrastructure
The disruption operation, publicly disclosed by the Department of Justice, specifically targeted a network of compromised small office/home office (SOHO) routers controlled by APT28. This group is widely attributed to Russia’s GRU Unit 26165 and has been known to operate under various aliases, including Sofacy, Sednit, and STRONTIUM.
Since at least 2024, APT28 has been exploiting known vulnerabilities to gain access to thousands of TP-Link routers worldwide. After compromising these devices, the attackers modified router configurations to redirect DNS traffic to servers they controlled. Initially, these operations were indiscriminate, but the attackers later implemented automated filtering mechanisms to identify DNS queries of intelligence value. For selected targets, the malicious DNS resolvers returned fraudulent records for domains, particularly those mimicking Microsoft Outlook services, facilitating AitM attacks against encrypted traffic.
This approach enabled APT28 to harvest unencrypted passwords, authentication tokens, emails, and other sensitive data from devices connected to compromised routers.
Official Statements on the Threat
U.S. officials have characterized the APT28 campaign as both persistent and dangerous. Assistant Attorney General John A. Eisenberg remarked on the GRU’s predatory use of networks in American homes and businesses for malicious cyber operations, emphasizing that this remains a serious and ongoing threat. U.S. Attorney David Metcalf highlighted that Russian military intelligence has hijacked American hardware to commandeer critical data, asserting the government’s commitment to respond aggressively to nation-state cyber threats.
FBI officials have also stressed the campaign’s extensive reach. Assistant Director Brett Leatherman noted that compromised routers have been used globally for espionage, while Special Agent Ted E. Docks pointed out that devices across more than 23 U.S. states have been weaponized.
How the FBI Disrupted the DNS Hijacking Network
As part of the operation, referred to as Operation Masquerade, the FBI deployed technical measures to neutralize the U.S. segment of APT28’s infrastructure. According to court documents, the FBI executed several key actions:
- Commands were sent to compromised routers to collect evidence of APT28 activity.
- DNS settings were reset, removing malicious resolvers and restoring legitimate ISP configurations.
- The actors’ ability to regain unauthorized access was blocked.
The operation was meticulously tested on affected TP-Link devices to ensure that it did not disrupt normal functionality or collect user content. Notably, the remediation steps can be reversed by users through factory resets or manual configuration changes.
Continued Router Exploitation and Infrastructure Tactics
Recent findings from the NCSC have documented how APT28 has utilized Virtual Private Servers (VPSs) as part of its malicious DNS infrastructure. Two primary clusters of activity have been identified:
- Cluster One: Focused on modifying DHCP DNS settings in SOHO routers, enabling selective DNS hijacking and AitM attacks.
- Cluster Two: Involved forwarding DNS traffic through a layered infrastructure, with some operations targeting high-value devices, including those in Ukraine.
APT28’s activities have also included exploiting vulnerabilities such as CVE-2023-50224 in TP-Link routers, allowing attackers to extract credentials and reconfigure DNS settings via crafted HTTP requests.
Targeted Services and Indicators
APT28’s DNS hijacking campaigns have frequently targeted Microsoft Outlook-related domains, including:
- autodiscover-s.outlook[.]com
- imap-mail.outlook[.]com
- outlook.live[.]com
- outlook.office[.]com
- outlook.office365[.]com
These targets reflect a clear focus on email-based intelligence gathering. Supporting infrastructure includes numerous malicious IP ranges and identifiable server configurations, such as unusual SSH ports and “dnsmasq-2.85” DNS services.
Mitigation and Security Recommendations
Both the FBI and the NCSC recommend immediate actions to mitigate risks associated with DNS hijacking and AitM attacks:
- Replace end-of-life or unsupported routers.
- Update firmware to the latest available versions.
- Verify DNS settings to ensure they point to legitimate resolvers.
- Disable or secure remote management interfaces.
- Implement firewall rules to limit exposure.
- Enable multi-factor authentication (MFA) to reduce credential abuse.
- Users are encouraged to monitor their networks and report suspected compromises to appropriate authorities.
For further insights into these developments, visit the original report on thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
