Russia Hijacked 18,000 Home Routers. Check If Yours Was Hit.

Russia Hijacked 18,000 Home Routers. Check If Yours Was Hit. Russian military intelligence has been inside your home network for months. And your ISP did not tell you. In April 2026, Krebs on Security confirmed that APT28 — also known as Forest Blizzard, the GRU unit responsible for the DNC hack and NotPetya — had compromised 18,000+ consumer and small business routers using DNS hijacking. The FBI and international partners dismantled the infrastructure under Operation Masquerade, but the routers themselves remain infected. The Adversary APT28 (Fancy Bear, Forest Blizzard, Sofacy, STRONTIUM, Pawn Storm) is Unit 26165 of the Russian GRU's Main Center for Special Technologies (GTsST). Tracked since at least 2007, this unit has conducted some of the most consequential cyber operations of the past decade: 2016: Democratic National Committee hack and email leak during the US presidential election 2017: NotPetya ransomware — the most destructive cyberattack in history, causing over USD 10 billion in damages globally 2018: Olympic Destroyer — targeted the PyeongChang Winter Olympics opening ceremony 2018: VPNFilter — compromised over 500,000 routers across 54 countries 2020: SolarWinds supply chain compromise (in coordination with APT29) 2022: Destructive attacks against Ukrainian civilian infrastructure, government networks, and telecom providers 2025-2026: FrostArmada — the router DNS hijacking campaign detailed here The FrostArmada campaign is consistent with APT28's long-standing methodology: persistent access via edge devices, credential harvesting through man-in-the-middle infrastructure, and indiscriminate broad targeting followed by triage for intelligence value. Vulnerabilities Exploited APT28 weaponized publicly-known CVEs against end-of-life or unpatched routers: CVE-2023-30799 (CVSS 9.1): MikroTik RouterOS privilege escalation. Affects RouterOS stable before 6.49.7 and long-term through 6.48.6. An authenticated attacker on the Winbox or HTTP interface can escalate from admin to super-admin and execute arbitrary code on the underlying OS. First disclosed at REcon 2022 (FOISted exploit). Despite patches existing since late 2022, Shodan scans showed up to 900,000 MikroTik devices remained exposed at the time of the campaign — 60% still using the default "admin" user. CVE-2023-50224 (CVSS 6.5): TP-Link WR841N authentication bypass. An unauthenticated, network-adjacent attacker can extract stored credentials via specially crafted HTTP GET requests to the httpd service on port 80. With credentials in hand, a second crafted request alters the DHCP DNS settings. The WR841N reached end-of-life years ago; TP-Link released partial patches only where technically feasible. CVE-2023-1389 (CVSS 8.8): TP-Link Archer AX21 command injection. The country parameter on the /cgi-bin/luci;stok=/locale endpoint was passed unsanitized to popen(), allowing unauthenticated remote code execution as root. Patched in firmware 1.1.4 Build 20230219, but already added to CISA's Known Exploited Vulnerabilities catalog and weaponized by multiple botnets before APT28 incorporated it. The NCSC advisory also identifies a broader cluster targeting TP-Link WR740N, WR741ND, WR840N, WR841HP, WR842ND, and other legacy SOHO models. No zero-days were required — every vulnerability used had public patches for years. The Adversary-in-the-Middle Mechanism The technical sophistication of this campaign lies in its simplicity. APT28 did not deploy malware on victim endpoints. They simply positioned themselves upstream: DNS hijacking: After compromising a router, attackers modified its DHCP DNS settings to point to VPS servers they controlled. Connected devices inherited these settings automatically. Legitimate DNS lookups (google.com, microsoft.com) resolved correctly. Targeted lookups (login.microsoftonline.com, login.live.com) returned attacker-controlled IPs. Transparent proxy: At those IPs, APT28 deployed reverse proxy infrastructure similar to Evilginx or Modlishka. When a victim navigated to Microsoft Outlook on the web, the proxy presented a valid TLS certificate — though users who inspected closely would see a certificate warning for the wrong domain. Token capture: The proxy relayed all traffic to the real Microsoft servers. When the victim completed authentication — including multi-factor authentication — Microsoft issued OAuth access and refresh tokens. The proxy copied both tokens before forwarding the legitimate response to the victim. The login appeared to work perfectly. No errors, no warnings. This is the critical detail: adversary-in-the-middle (AiTM) phishing defeats MFA. Because the proxy completes the full authentication handshake with the real service on the user's behalf, even hardware TOTP tokens, push notifications, and SMS codes are bypassed. The captured OAuth token is valid from any IP address on any device until it expires (Microsoft 365 default token lifetimes range from 60-90 minutes for access tokens, but refresh tokens can remain valid for up to 90 days). Geographic Targeting The campaign spread across 120+ countries, but victim concentration clustered around Russian strategic interests: Ukraine: 28% — the highest concentration, consistent with Russia's ongoing war and intelligence priorities United States: 18% United Kingdom: 9% Germany: 7% Poland: 6% Baltic states (Estonia, Latvia, Lithuania): concentrated clusters NATO member states and EU government institutions across Europe Microsoft Threat Intelligence identified over 200 organizations and 5,000 consumer devices as confirmed victims. Targets included ministries of foreign affairs, law enforcement agencies, national identity platforms, defense contractors, and third-party IT providers servicing government clients. The NCSC assessed the operation as opportunistic: APT28 compromised a wide pool, then filtered down to victims of intelligence value. The ISP Failure Lumen's Black Lotus Labs detected anomalous DNS traffic patterns from compromised routers months before the takedown. ISP-level telemetry showed thousands of residential routers sending DNS queries to suspicious VPS addresses in Eastern Europe. The pattern was visible on the network layer. It was not subtle. According to multiple sources, including Krebs on Security, ISPs identified the anomalous traffic but did not notify affected customers. This is a systemic and recurring failure. The same pattern emerged during the VPNFilter botnet in 2018, the Mirai IoT botnet in 2016, and Cyclops Blink in 2022. ISPs have the technical capability to detect compromised customer equipment — they can see abnormal DNS resolution, unexpected outbound connections, and known-bad IPs in their routing tables. They choose not to act. The result: Russian military intelligence operated an 18,000-router surveillance network for over eight months. The window between initial detection and takedown was measured in months, not days. Every day of silence meant more OAuth tokens stolen from government employees, military personnel, and critical infrastructure workers who connected through their home routers. Comparable Operations Router compromise is not new for Russian military intelligence. This campaign follows an established playbook: VPNFilter (2018, APT28): Compromised over 500,000 routers from Linksys, MikroTik, Netgear, TP-Link, and QNAP across 54 countries. Modular malware capable of traffic interception, credential theft, Tor routing, and self-destruct. Disrupted by FBI domain seizure, but the underlying vulnerable devices were never remediated. Cyclops Blink (2022, Sandworm/GRU): Succeeded VPNFilter as a modular firmware-embedded framework. Targeted WatchGuard and ASUS devices. Capable of surviving factory resets and firmware updates. CISA and NCSC jointly attributed it to Sandworm (GRU Main Center for Special Technologies). FrostArmada (2025-2026, APT28): The current campaign. Distinct from prior operations in that it dispensed with malware entirely — no persistent implant, no second-stage modules, no self-destruct. Just a DNS configuration change and passive proxy infrastructure. Lower operational cost, lower detection risk, higher scalability. APT28 has been compromising routers for at least eight years. Each iteration reduces the technical footprint while increasing scale. The Takedown On April 7, 2026, the FBI, US Department of Justice, and international partners from 15 countries executed Operation Masquerade — a court-authorized disruption of APT28's DNS hijacking infrastructure. The FBI remotely issued commands to US-based compromised routers to reset DNS settings to obtain resolvers from the ISP, severing connections to APT28's harvesting nodes. The operation was tested extensively on TP-Link firmware and hardware to confirm it did not impact normal router functionality or collect user content. What the takedown did: Removed attacker-controlled DNS resolvers from compromised routers in the US. Seized or sinkholed VPS infrastructure used for malicious DNS resolution and AitM proxying. Cut off active credential harvesting. What the takedown did not do: Remove the underlying vulnerabilities from 18,000 routers. Apply firmware patches. Change default credentials. Disable remote management interfaces. Prevent APT28 from rebuilding the same infrastructure on different VPS providers within days. The FBI coordinated with ISPs to notify affected customers. At the time of publication, many users still have not been contacted. Detailed Cleanup Guide If your router was compromised in this campaign, follow these steps: Factory reset. Do not skip this. A factory reset clears all configuration changes, including malicious DNS settings. Every major router brand has a physical reset button — hold it for 10-30 seconds (consult your manual). On TP-Link: press and hold the WPS/RESET button on the back with the device powered on. On MikroTik: hold the reset button while powering on, release when the LED flashes. Update firmware. Download the latest firmware from the manufacturer's official website — never from third-party sources. Verify the downloaded file's SHA-256 hash against the checksum published on the manufacturer's site if available. Then upload it through the router admin panel. Secure the admin interface. Change the default admin username and password immediately. Disable remote management (WAN-side administration). Disable the Winbox and web interfaces on MikroTik — use SSH with public-key authentication instead. Block ports 8291 (Winbox) and 80/443 (HTTP/S) from the internet. Verify DNS settings. After reset, log into the router admin panel and check the DHCP DNS settings. They should point to your ISP's DNS servers or a trusted public resolver. Factory-reset routers do not retain malicious settings, but verify anyway. Rotate OAuth tokens. This is the step most people miss. Even if you clean your router, the stolen tokens are still valid: - Microsoft: Go to https://mysignins.microsoft.com/security-info. Review all sessions and sign out everywhere. Then go to Azure AD / Entra admin center > Users > select all users > Revoke sessions. This invalidates all existing refresh tokens. - Google: Go to https://myaccount.google.com/security-checkup. Review devices with access and remove anything unrecognized. Revoke third-party app access. - For enterprise environments: implement Conditional Access policies with short sign-in frequency (24 hours or less) and require phishing-resistant MFA (FIDO2/security keys). Enable encrypted DNS. DNS over HTTPS (DoH) or DNS over TLS (DoT) prevents DNS hijacking even if an attacker modifies router settings. Configure on each device: - Windows: Settings > Network & Internet > Ethernet/Wi-Fi > DNS server assignment > Edit > Manual > Set to 1.1.1.1 and 1.0.0.1 (Cloudflare) or 9.9.9.9 (Quad9) - macOS: System Settings > Network > select connection > DNS > Add 1.1.1.1 and 1.0.0.1 - Android: Settings > Network & Internet > Private DNS > Private DNS provider hostname > or - iOS: Settings > Wi-Fi > click (i) next to network > Configure DNS > Manual > Add 1.1.1.1 and 1.0.0.1 Replace end-of-life routers. If your router is no longer receiving firmware updates, it will be compromised again. Check the manufacturer's EOL list. The WR841N used in this campaign reached EOL years ago. No amount of configuration hardening patches known vulnerabilities in discontinued firmware. Broader Router Security The FrostArmada campaign exposes a structural failure in consumer networking: ISPs have remote management access to the CPE equipment on their networks. They can push firmware updates. They choose not to, citing liability concerns and cost. The same ISPs that detected anomalous DNS traffic and did not notify customers could have patched the vulnerabilities used in this campaign years ago. Manufacturers stop supporting SOHO routers after 2-3 years. The average consumer router on a home network is 4+ years past its last security update. EOL announcements are buried in support documents rather than pushed to customers. Regulation remains voluntary. There is no mandatory security standard for SOHO routers. No requirement for automatic firmware updates. No minimum support window. No liability for manufacturers who ship devices with default credentials and no brute-force protection. The result is that nation-state adversaries can compromise 18,000 routers using CVEs from 2023, operating for eight months without detection, targeting NATO governments, and the only thing that stops them is a multi-country FBI operation. Your router is the front door to your digital life. Right now, it is hanging half-open. Use our DNS Inspector to verify your DNS is clean. Test for VPN leaks with our VPN Leak Test.