# US Disrupts Russian Espionage Operation Using Compromised Routers for DNS Hijacking Attacks


Federal law enforcement agencies have disrupted a sophisticated Russian espionage campaign orchestrated by the notorious APT28 threat group, which leveraged vulnerabilities in widely deployed TP-Link and MikroTik routers to conduct large-scale adversary-in-the-middle (AitM) attacks and DNS hijacking operations. The operation represents a critical reminder of how sophisticated nation-state actors exploit common infrastructure vulnerabilities to gain persistent access to sensitive communications and intelligence.


## The Threat: APT28's Infrastructure Campaign


APT28, also known as Fancy Bear, Forest Blizzard, and Sofacy, is the Russian military intelligence service's cyber operations unit with a documented history spanning over a decade. The group has been linked to high-profile intrusions including the 2016 US election interference, the NotPetya ransomware campaign, and countless espionage operations targeting NATO members, government agencies, and critical infrastructure operators.


The disrupted campaign represents a notable shift in APT28's operational approach. Rather than relying solely on sophisticated malware or spear-phishing campaigns, the group exploited vulnerabilities in consumer and enterprise-grade networking equipment to establish a persistent, difficult-to-detect network layer presence. This approach allowed the group to intercept communications across entire networks without requiring compromise of individual endpoints or user credentials.


## Technical Details: Vulnerable Routers and AitM Exploitation


### The Vulnerable Equipment


The operation centered on exploiting known security flaws in two major router manufacturers:


  • TP-Link Routers: Consumer and small-business routers widely deployed in homes and small offices
  • MikroTik RouterOS: Enterprise-grade routing equipment popular in managed service provider (MSP) environments and ISPs

    • Both manufacturers have released security patches for the vulnerabilities in question, though a significant installed base of unpatched devices remained accessible to attackers.


    ### Attack Methodology


    The threat actors employed a multi-stage attack chain:


    | Stage | Method | Impact |

    |-------|--------|--------|

    | Initial Access | Exploiting unpatched router vulnerabilities via default credentials or direct exploitation | Compromise of network gateway |

    | Persistence | Installation of modified firmware or backdoored configurations | Long-term access maintained |

    | AitM Positioning | Configuration of DNS hijacking and traffic redirection rules | Interception of victim communications |

    | Data Exfiltration | Capture of DNS queries, SSL/TLS metadata, and unencrypted traffic | Intelligence collection |


    Once gaining access to compromised routers, APT28 configured the devices to perform DNS hijacking—redirecting victim traffic to attacker-controlled servers. This technique allows threat actors to intercept SSL/TLS handshakes, harvest authentication credentials, and monitor communications in real-time without requiring advanced cryptographic capabilities.


    The adversary-in-the-middle positioning is particularly dangerous because it operates at the network layer, affecting all traffic flowing through the compromised router. This means a single router compromise could expose dozens or hundreds of connected devices simultaneously.


    ## Background and Context: A Growing Infrastructure Threat


    Nation-state cyber operations increasingly target network infrastructure rather than endpoint devices. This shift reflects both the maturation of defensive capabilities at the endpoint level and the persistent challenge of securing networking equipment across global deployments.


    Why routers are attractive targets for state actors:


  • Persistent access: Router compromises survive endpoint reimaging and antivirus updates
  • Visibility: Network-layer position provides access to all traffic passing through the device
  • Low visibility: Router compromises often go undetected due to limited logging and monitoring capabilities
  • Scale: A single compromised router in an ISP or MSP network can affect thousands of downstream customers
  • Difficulty to detect: Compromised routers lack the traditional indicators of compromise found on endpoint systems

    • The disruption operation demonstrates that US intelligence agencies and law enforcement have developed improved capabilities for identifying, attributing, and disrupting nation-state cyber operations at the infrastructure layer. However, the operation also highlights the ongoing difficulty of securing a global installed base of networking equipment against determined adversaries.


    ## Implications for Organizations


    ### Immediate Risks


    Organizations operating or connected to compromised TP-Link or MikroTik routers face several critical security implications:


    Data exposure: Any unencrypted traffic transmitted through compromised routers may have been captured and exfiltrated. This includes credentials, proprietary information, and sensitive communications.


    Credential compromise: AitM attacks positioned at the network layer are particularly effective at harvesting authentication credentials, as they can intercept HTTPS traffic before encryption by capturing pre-authentication data and session tokens.


    Supply chain contamination: Organizations receiving services through compromised MSP or ISP routers may have been indirectly exposed without their direct knowledge.


    ### Ongoing Threats


    While the specific APT28 operation has been disrupted, the underlying vulnerabilities and attack methodology remain relevant. Other threat actors—both state-sponsored and criminal groups—may leverage similar techniques against organizations that have not addressed router security.


    ## Recommendations for Security Teams


    ### Immediate Actions


    1. Audit router inventory: Conduct a comprehensive inventory of all TP-Link and MikroTik routers in your environment, including version numbers and firmware dates

    2. Apply security patches: Immediately apply all available security updates from both manufacturers

    3. Check configurations: Review router configurations for unauthorized DNS settings, unusual firewall rules, or suspicious access logs

    4. Monitor for indicators: Search firewall and network logs for traffic patterns consistent with DNS hijacking or credential harvesting


    ### Long-Term Security Improvements


  • Implement network segmentation: Isolate critical systems behind multiple layers of network controls
  • Deploy encrypted communications: Mandate HTTPS, DNS-over-HTTPS (DoH), and encrypted VPN connections to minimize impact of network-layer attacks
  • Enhance router security: Change default credentials, disable unnecessary services, and enable security logging on all network infrastructure
  • Increase monitoring: Implement network-based intrusion detection and DNS query logging to identify suspicious activity
  • Vendor security assessment: Evaluate routers based on security update frequency, vulnerability disclosure policies, and manufacturer responsiveness

    • ## Conclusion


    The disruption of APT28's router-based espionage operation marks a significant enforcement action against a persistent Russian threat actor. However, the incident serves as a broader warning about the vulnerability of network infrastructure to sophisticated adversaries. Organizations must treat router security with the same rigor traditionally reserved for endpoint protection, implementing robust patching programs, security monitoring, and network segmentation to defend against similar attacks.


    As nation-state cyber operations continue evolving to exploit infrastructure weaknesses, maintaining awareness of emerging threats and executing foundational security practices—particularly in network device management—remains essential for protecting organizational security and sensitive communications.