Skip to main content
Juan Carlos Munera
  1. Posts/

Operation Masquerade: FBI Disrupts APT28 Campaign Across 18,000 Hijacked Routers

·1326 words·7 mins
DNS Hijacking APT28 Nation-State Threats SOHO Router Security Threat-Intelligence Network-Security
Table of Contents

Why Practitioners Should Care First
#

If your organization has employees working from home, branch offices running consumer-grade networking gear, or remote sites with TP-Link or MikroTik routers, this campaign was designed to reach you without ever touching your corporate perimeter.

APT28 didn’t need to breach your firewall, compromise an endpoint, or phish an employee. They changed the DNS settings on the router sitting between your employee’s laptop and the internet. Every device on that network, the work laptop, the personal phone, the tablet, then resolved domain names through attacker-controlled servers. When someone opened Outlook Web Access, APT28’s infrastructure served a lookalike page, captured the OAuth token, and passed the user through to the real service. The victim noticed nothing. MFA was bypassed entirely because the attackers captured the authenticated session token, not the password.

That is the operational reality that prompted the FBI to launch Operation Masquerade on April 7, 2026.

The Campaign
#

The threat group tracked by Microsoft as Forest Blizzard, and widely known as APT28 or Fancy Bear, has been exploiting SOHO routers since at least 2024. The campaign compromised more than 18,000 devices across 120+ countries. Microsoft Threat Intelligence identified over 200 targeted organizations and 5,000 impacted consumer devices.

The target list included government agencies, military organizations, IT companies, telecom providers, energy sector entities, and critical infrastructure operators. Lumen’s Black Lotus Labs identified additional victims linked to Afghanistan’s government, foreign affairs agencies in North Africa and Central America, national law enforcement in Southeast Asia, and an unnamed European country’s national identity platform.

The FBI confirmed that APT28 actors compromised routers in more than 23 U.S. states. ISPs are being contacted to notify affected users, but if you operate a TP-Link or MikroTik router, you should verify your DNS settings now rather than waiting for notification.

How the Attack Chain Worked
#

APT28’s approach was methodical and low-noise.

Initial access came through known vulnerabilities in TP-Link routers (including the WR841N via CVE-2023-50224, Archer C5/C7 series, and several other models) and through default SNMP v2 community strings. SNMP v2 transmits credentials in plaintext, and the default community strings “public” and “private” are still running on a staggering number of consumer routers deployed in home offices and small branch locations.

DNS manipulation was the core technique. Once inside a router, the attackers modified DHCP and DNS configurations to replace legitimate DNS resolvers with servers they controlled. This is not malware installation. There is no payload on disk, no process to detect, no file to scan. The router’s configuration simply points somewhere different, and every device downstream inherits that change automatically.

Credential harvesting happened through adversary-in-the-middle attacks on TLS connections. When a compromised network’s traffic hit an attacker-controlled DNS resolver, the resolver spoofed responses for targeted domains, particularly Microsoft Outlook Web Access. APT28’s infrastructure presented an invalid TLS certificate. If the user ignored the certificate warning (or if the application didn’t enforce certificate validation), the attacker intercepted the plaintext traffic, capturing OAuth tokens, passwords, and email content.

The FBI’s assistant cyber division director put it bluntly: “When you change the internet settings in a router like they did, it propagates to all the devices in your house. All those devices now, once they’re connected to that Wi-Fi, are getting the malicious IP addresses.” One compromised router means every device on that network is sending traffic through the adversary’s infrastructure.

What the FBI Did
#

Operation Masquerade was a court-authorized technical operation led by FBI Boston, with support from the DOJ’s National Security Division, Lumen’s Black Lotus Labs, Microsoft Threat Intelligence, and the UK’s NCSC.

The FBI developed and tested a series of commands on affected TP-Link firmware and hardware. These commands performed three functions: collected forensic evidence of APT28’s activity, reset DNS settings to force routers back to legitimate ISP-provided resolvers, and blocked the specific access method APT28 had used to compromise the devices.

The operation did not impact normal router functionality, did not collect user content, and can be reversed by legitimate users through a factory reset or manual reconfiguration. The FBI is working with ISPs to notify affected users directly.

This is the fourth FBI disruption operation targeting APT-controlled router infrastructure since 2018. The progression tells a story about how both sides are adapting. In 2018, the FBI sinkholed a domain used by the VPNFilter botnet. In 2022, they targeted the Cyclops Blink botnet. In 2024, Operation Dying Ember went after another botnet. With Operation Masquerade, the FBI moved beyond passive sinkholing to actively sending remediation commands to compromised devices on U.S. soil.

The Practitioner Problem
#

This campaign exposes a gap that most enterprise security programs have not addressed: the network edge devices that sit upstream of corporate traffic in distributed work environments.

Consider the typical remote worker setup. An employee connects a company-issued laptop to their home Wi-Fi. The laptop runs EDR, connects to a corporate VPN, and enforces security policies. But the router that provides the Wi-Fi connection is a consumer-grade device that the employee bought at a retail store, configured once, and never updated. That router has default credentials, outdated firmware, SNMP v2 with default community strings, and remote management enabled. The corporate security team has zero visibility into it.

When APT28 changes the DNS settings on that router, the VPN connection may still protect corporate traffic, but everything else on that network, including authentication flows that happen before the VPN connects, is exposed. And if the employee accesses Outlook Web Access outside the VPN tunnel, their OAuth token is captured through the AiTM attack without any security control detecting it.

For organizations subject to compliance frameworks, this is a scope question that gets uncomfortable fast. PCI DSS Requirement 1 addresses network security controls. Requirement 12.8 covers third-party service provider management. But neither framework was designed to address the security posture of an employee’s home router, even when that router is the first hop for traffic carrying authentication credentials to cloud services that access the cardholder data environment.

What to Check Now
#

If you manage infrastructure or support remote workers, these are the immediate actions:

For any TP-Link or MikroTik router in your environment or your employees’ home offices: verify DNS settings manually. The attacker-controlled resolvers used IP ranges including 77.83.197.x, 79.141.161.x, and 185.237.166.x. If you see unfamiliar DNS servers configured, treat the device as compromised.

For all SOHO routers: update firmware to the latest version. If the router is on the manufacturer’s end-of-life list, replace it. Disable SNMP v2 or change community strings from defaults. Disable remote management unless it is explicitly required and properly secured.

For identity and access management: this campaign is another data point for why phishing-resistant MFA (FIDO2/WebAuthn) matters. Traditional MFA, including push notifications and OTP codes, does not protect against AiTM attacks that capture the post-authentication session token. Passkeys bound to the legitimate origin domain cannot be intercepted by a proxy sitting between the user and the real service.

For detection teams: monitor for DNS resolver changes on managed network equipment. Look for TLS certificate warnings being suppressed or ignored in authentication flows. Review Microsoft Entra ID sign-in logs for sessions originating from unexpected IP ranges or showing anomalous user-agent strings.

The Bigger Picture
#

Operation Masquerade is the latest proof point in a trend that has been building for years: nation-state actors are targeting the devices that security teams don’t manage, don’t monitor, and often don’t even know exist in their extended network. The FCC’s recent ban on new foreign-made consumer routers was a policy response to this exact threat surface. But the routers that are already deployed, the ones running in millions of home offices and small branch locations right now, are the ones that APT28 spent two years quietly compromising.

The FBI can remediate U.S. routers through court-authorized operations. What it can’t do is patch the firmware, replace end-of-life devices, or change the default credentials on the router sitting under your remote employee’s desk.

That part is on us.

Juan Carlos Munera
Author
Juan Carlos Munera
Passionate about cybersecurity, governance, risk, and compliance. Sharing insights on security best practices, frameworks, and industry trends.

Related

CPU-Z and HWMonitor Hijacked: Inside the CPUID Supply Chain Attack

·945 words·5 mins
Incident Analysis Cybersecurity Engineering Supply Chain Security Malware Analysis DLL Sideloading STX RAT Watering Hole Attack Threat-Intelligence
Attackers compromised CPUID’s official website and swapped download links for CPU-Z and HWMonitor with trojanized packages delivering STX RAT. The attack targeted the exact tools IT professionals carry on USB drives and run on production servers, turning implicit trust in a 20-year-old download source into a direct path to privileged credentials.