The GRU-linked hacking group APT28, also tracked as Forest Blizzard and Fancy Bear, has compromised more than 5,000 small office and home office routers across at least 200 organizations to build a covert intelligence collection network targeting Western military, government, and critical infrastructure systems, according to a joint advisory published Tuesday by intelligence and law enforcement agencies from the United States, Canada, Ukraine, Germany, Italy, Poland, Slovenia, Romania, and others.
Today the FBI and @TheJusticeDept announced Operation Masquerade, a court-authorized technical disruption of Russian GRU infrastructure used to steal government, military, and critical infrastructure information.
Since at least 2024, a cyber unit within Russian military… pic.twitter.com/r8LWbZrfQs
— FBI Cyber Division (@FBICyberDiv) April 7, 2026
The campaign has been active since at least August 2025, Microsoft Threat Intelligence confirmed. APT28 targets poorly secured SOHO devices, the everyday routers used in homes and remote workplaces, to silently redirect network traffic through Russian military intelligence-controlled servers.
The group hijacks the router’s DNS resolver configuration and repurposes dnsmasq, a legitimate lightweight DNS forwarding utility built into many consumer routers, to intercept DNS queries on port 53.
For a select subset of high-priority targets, APT28 escalated beyond passive DNS collection to active adversary-in-the-middle, or AiTM, attacks against Transport Layer Security (TLS) connections.
The group returned spoofed IP addresses and presented fraudulent TLS certificates impersonating legitimate Microsoft services, intercepting credentials, authentication tokens, and email content otherwise protected by encryption.
Microsoft said this marks the first time it has observed Forest Blizzard deploying DNS hijacking at scale to enable AiTM attacks after compromising edge devices.
The Russian military intelligence actor Forest Blizzard has conducted large-scale exploitation of vulnerable small office/home office (SOHO) devices to hijack DNS requests and enable persistent, passive visibility and reconnaissance at scale. https://t.co/1mupe3dvOT
By…
— Microsoft Threat Intelligence (@MsftSecIntel) April 7, 2026
Ukraine’s Security Service, the SBU, said the group “acted as ‘intermediaries’ in the online space to collect passwords, authentication tokens and other sensitive information, including emails, which under normal circumstances are protected by SSL [Secure Sockets Layer] and TLS cryptographic protocols.”
Microsoft confirmed AiTM attacks targeted Microsoft Outlook on the web domains and government servers in at least three African nations.
The FBI said APT28 “indiscriminately compromised a wide pool of U.S. and global victims and then filtered down impacted users, especially targeting information related to military, government and critical infrastructure.”
Russian GRU cyber actors are exploiting vulnerable routers worldwide to intercept sensitive military, government, and critical infrastructure information.
The @FBI, @NSAgov and 21 international parties across 15 countries have released a #PSA detailing GRU techniques and… pic.twitter.com/kuvxWeLVaG
— FBI Cyber Division (@FBICyberDiv) April 7, 2026
Ukraine’s SBU added that the group “paid particular attention to information exchanged between employees and servicemen of state bodies, units of the Ukrainian Defense Forces and enterprises of the defense-industrial complex.”
An anonymous law enforcement official involved in the joint operation said the attackers “tried their best to cover all vulnerable routers, while redirecting requests only to domains they were interested in,” specifically naming Ukrainian government domains and Microsoft Outlook military systems.
Romanian President Nicușor Dan said the GRU operatives “were collecting military, governmental, and critical infrastructure-related information,” adding: “Russia therefore continues its hybrid war against Western countries. Only those acting in bad faith could fail to see this.”
The FBI, alongside partners including the Romanian Intelligence Service (SRI), have announced the disruption of a sustained cyberattack targeting sensitive infrastructure in several Western states.
Cyber operatives associated with the GRU (the Russian military intelligence…— Nicușor Dan (@NicusorDanRO) April 8, 2026
TP-Link routers were among the devices exploited. The FBI urged all SOHO router owners to update firmware, change default usernames and passwords, disable remote management interfaces, and stay alert for TLS certificate warnings in browsers and email clients.
