Routers Under Siege: How U.S. Agents Crushed Russia’s Global DNS Espionage Web

It began with a quiet, invisible infiltration - routers in homes and small offices across the globe, silently commandeered by Russian state hackers. This week, the U.S. Justice Department and the FBI revealed they had smashed a sophisticated Russian espionage campaign that weaponized everyday internet devices to spy on governments and critical infrastructure in the United States and beyond. The operation, attributed to the notorious APT28 (aka Fancy Bear), marks one of the most significant digital counterstrikes in recent memory. But how did these hackers turn common routers into global listening posts - and how did authorities finally take them down?

Fast Facts

• Russian APT28 hackers hijacked thousands of TP-Link and MikroTik routers using known vulnerabilities.
• Attackers reconfigured DNS and DHCP settings to secretly capture sensitive internet traffic.
• Over 200 organizations and 5,000 consumer devices were impacted, according to Microsoft.
• Lumen Technologies detected over 18,000 unique IPs from 120+ countries communicating with the attackers.
• U.S. and U.K. agencies, with tech industry help, dismantled the malicious infrastructure in early 2026.

Inside the Operation

The Russian group, tracked under names like Forest Blizzard and Fancy Bear, exploited a known vulnerability (CVE-2023-50224) to seize control of targeted routers. Once inside, they altered the routers’ network settings - specifically, the DNS (Domain Name System) and DHCP (Dynamic Host Configuration Protocol) configurations. This subtle tweak funneled all web requests from connected devices through servers secretly controlled by the hackers.

Using a classic adversary-in-the-middle (AitM) technique, the attackers intercepted what victims believed were secure, encrypted connections. If users ignored browser warnings about invalid security certificates, the attackers could harvest passwords, authentication tokens, emails, and browsing activity - potentially exposing sensitive government and infrastructure data.

Microsoft and Lumen Technologies played a critical role in analyzing and tracking the campaign. Microsoft identified more than 200 affected organizations and thousands of consumer devices, while Lumen’s Black Lotus Labs detected a peak of 18,000 infected IP addresses spanning over 120 countries. Many victims were government agencies, foreign ministries, and law enforcement bodies.

The attackers used legitimate tools like dnsmasq - commonly built into routers - to forward and manipulate DNS queries, sometimes even spoofing responses to direct victims to attacker-controlled sites for further exploitation or malware deployment. The campaign’s timing, beginning in August 2025, appeared to coincide with international sanctions against Russian hackers.

U.S. and U.K. authorities, collaborating with Microsoft, Lumen, and other partners, ultimately disrupted the rogue infrastructure. The U.K.’s National Cyber Security Centre released technical indicators and defense recommendations to help organizations shore up their defenses. This takedown follows earlier U.S. actions against similar Russian botnets targeting routers.

Reflection

This operation underscores a chilling reality: the humble home router is now a frontline target in global cyber warfare. As attackers grow bolder and more creative, even everyday devices can become tools of international espionage. The case stands as a warning - and a call to vigilance - for organizations and individuals alike: in the digital age, security begins at home.

WIKICROOK

• APT28: APT28, or Fancy Bear, is a Russian state-backed hacking group known for cyber-espionage against Western governments and organizations.
• DNS Hijacking: DNS Hijacking is when attackers secretly alter DNS settings, redirecting users to fake or harmful websites without their knowledge to steal data or spread malware.
• SOHO Router: A SOHO router connects home or small office devices to the internet and is often targeted by attackers due to weak security settings.
• Adversary: An adversary is any person or group attempting to breach computer systems or data, often for malicious purposes like theft or disruption.
• CVE: CVE, or Common Vulnerabilities and Exposures, is a system for uniquely identifying and tracking publicly known cybersecurity flaws in software and hardware.