APT28 Exploits Vulnerable Routers for Global DNS Hijacking Campaign

APT28 Exploits Vulnerable Routers for Global DNS Hijacking Campaign

First seen 7 Apr 2026, 17:33 UTC Feeds.TrendmicroTrendmicroScworldEnglish.Nv.UaNcsc.Uk+74 84% similarity 77.9

Article Content

Browse articles
ThreatCluster

Russian cyber group APT28, also known as Fancy Bear, has been exploiting vulnerabilities in TP-Link and MikroTik routers to conduct large-scale DNS hijacking operations. This campaign, which has affected over 18,000 devices across 120 countries, allows attackers to intercept internet traffic and steal sensitive information, including passwords and access tokens. The group has been leveraging known vulnerabilities, such as CVE-2023-50224, to modify DNS settings and redirect users to malicious servers. The U.S. Department of Justice and FBI recently announced the takedown of a significant portion of this infrastructure in an operation dubbed 'Operation Masquerade.' The attacks have primarily targeted military, government, and critical infrastructure sectors. Authorities are urging users to update their devices and follow security best practices to mitigate risks. The NCSC and Microsoft have issued advisories detailing the ongoing threat and the need for immediate action.

Key Points: • APT28 has compromised over 18,000 routers globally, targeting sensitive sectors. • The group exploits vulnerabilities in TP-Link and MikroTik routers to hijack DNS traffic. • Operation Masquerade successfully disrupted a significant portion of APT28's infrastructure.

ThreatCluster AI

Timeline

2024-05-03
CVE-2023-50224 published
2025-09-03
CVE-2023-50224 added to CISA KEV for active exploitation
2026-04-07
U.S. DOJ and FBI announce Operation Masquerade
2026-04-07
NCSC issues advisory on APT28 router attacks
2026-04-07
Microsoft reports over 200 organizations affected

Community

Browse all →