FBI Takes Down APT28 Network Behind Global DNS Hijacking Attacks

APT28, also known as Fancy Bear, has refined a low‑cost, high‑impact espionage technique by compromising consumer‑grade routers and hijacking DNS traffic. By inserting malicious resolvers at the network edge, the group can silently redirect users to spoofed services, harvest OAuth tokens, passwords, and email content, and even intercept encrypted Outlook sessions. The scale of the operation—spanning thousands of TP‑Link devices worldwide and affecting users in over 23 U.S. states—demonstrates how nation‑state actors exploit everyday hardware to infiltrate both personal and corporate environments.

Operation Masquerade, a court‑authorized FBI initiative, represents an unprecedented offensive move against a foreign intelligence infrastructure on U.S. soil. Agents issued commands to compromised routers to capture activity logs, reset DNS settings to legitimate ISP resolvers, and block further unauthorized access. The technical approach was carefully tested to avoid service disruption, allowing users to restore normal operation via factory resets. By neutralizing the malicious DNS infrastructure, the FBI not only halted ongoing credential harvesting but also gathered valuable intelligence on APT28’s tactics, techniques, and procedures, informing future defensive strategies.

The takedown underscores a broader shift toward proactive cyber defense against supply‑chain and hardware‑level threats. Security experts now stress the urgency of replacing end‑of‑life routers, applying firmware patches, and securing remote management interfaces. Implementing multi‑factor authentication adds a critical layer of protection against credential theft stemming from DNS hijacks. As adversaries continue to weaponize vulnerable IoT and SOHO devices, coordinated public‑private efforts and rapid mitigation guidance will be essential to safeguard the digital frontiers of both consumers and enterprises.