Originally published at https://monstadomains.com/blog/dns-hijacking-attack-2/
Russia’s GRU just gave the global cybersecurity community a live demonstration of a DNS hijacking attack conducted at intelligence-agency scale – and the joint takedown disclosed in April 2026 is still reshaping how security teams think about router vulnerabilities. The operation, attributed to APT28 (also known as Forest Blizzard and Fancy Bear, GRU Military Unit 26165), was publicly disclosed on April 7-8, 2026 in coordinated advisories from the FBI, the UK’s National Cyber Security Centre, Microsoft Threat Intelligence, and Lumen Technologies.
This DNS hijacking attack had been silently redirecting internet traffic through attacker-controlled servers, harvesting passwords, OAuth tokens, and login credentials from victims across multiple countries. If you own a domain, manage a website, or depend on any online account for anything sensitive, this is not abstract – it is a direct threat to your infrastructure. This breakdown covers how the operation unfolded, what it exposed about router-level vulnerabilities, and why the near-simultaneous wave of ICANN registrar terminations compounds the risk for domain owners right now.
The April 2026 GRU Operation and Its Joint Disclosure
The scale of the coordinated disclosure on April 7-8 was significant on its own. The U.S. Department of Justice, the FBI, the UK’s National Cyber Security Centre, Microsoft Threat Intelligence, and Lumen Technologies all published advisories describing the same APT28 campaign on the same day. Five major institutions moving in concert on a single threat assessment is unusual – it signals that this DNS hijacking attack was judged to be both active and serious enough to warrant immediate, simultaneous public notice. The joint action was designed to disrupt the operation while giving network defenders clear technical indicators to act on.
APT28 is the GRU unit previously linked to the 2016 U.S. election interference, the NotPetya wiper attack, and numerous European government breaches. The NCSC advisory confirmed that this time the group was not targeting hardened government infrastructure – it was going after ordinary home and small-business routers running outdated firmware. That deliberate expansion of the threat surface toward civilian targets is what makes this campaign particularly significant.
How APT28 Ran a DNS Hijacking Attack Through Millions of Routers
The mechanics of this DNS hijacking attack were straightforward in concept and devastating in scale. APT28 gained access to target routers through brute-forced default credentials or known unpatched vulnerabilities, then altered the router’s DHCP settings to distribute a malicious DNS server address to every device on the local network. From that point forward, every DNS query from every device on that network – phones, laptops, desktops, IoT devices – was answered by an APT28-controlled resolver rather than a legitimate one. The compromise lived entirely in the router’s configuration, requiring no malware on any end-user device.
This approach makes the DNS hijacking attack exceptionally difficult to detect. Users see no malware alert, no unusual system behavior, and no prompt to update anything. Their devices are functioning normally – but every domain lookup is routing through infrastructure that can selectively return false responses. For high-value targets, APT28 served legitimate results for most requests while silently intercepting traffic destined for email services, banking portals, VPN authentication endpoints, and cloud storage.
The FBI’s IC3 public service announcement confirmed that this DNS hijacking attack was used to execute adversary-in-the-middle (AitM) interception, with the advisory specifically identifying DHCP manipulation as the mechanism for silently reassigning DNS resolvers across entire local networks – a method that leaves no trace on the devices being compromised. OAuth session token theft is particularly dangerous here because it bypasses multi-factor authentication entirely: an attacker with your active session token can authenticate to major platforms as you, without your password and without triggering any login alert.
What the DNS Hijacking Attack Targeted and Collected
The credentials and tokens captured through this DNS hijacking attack were not gathered randomly. APT28 is an intelligence-collection unit, not a criminal ransomware group, and its targeting reflects that. The NCSC advisory identified credential theft focused on web services, email platforms, and OAuth-enabled applications – the category that includes corporate email, cloud document storage, and any service using federated authentication. For journalists, lawyers, activists, or anyone handling sensitive professional communications, this was a specifically intelligence-motivated operation designed to enable persistent, undetected access to exactly those accounts.
The session-token component of the DNS hijacking attack is what distinguishes it from an ordinary phishing campaign. OAuth tokens issued by major platforms remain valid for hours or days after issuance. An attacker who captures a token in transit can authenticate as the victim for an extended window – reading email, accessing cloud files, monitoring communications – without the account owner ever seeing a re-authentication prompt or a login notification. Standard hardware 2FA does not reliably protect against this attack class when DNS resolution itself is compromised upstream.
ICANN Registrar Terminations Add a Second Layer of Risk
Brennercom: A Registrar Terminated in January 2026
While the GRU operation dominated security headlines, a separate registrar-infrastructure story was unfolding at ICANN. On January 13, 2026, ICANN formally terminated U.S.-based registrar Brennercom for failing to implement RDAP – the Registration Data Access Protocol that replaced legacy WHOIS as the mandatory technical standard for domain data queries. This was not a warning or a suspension. Brennercom lost its accreditation, and its customers needed to execute emergency domain transfers to maintain service continuity. For website owners who trusted a low-profile registrar without monitoring its compliance status, the disruption arrived without advance warning.
May 29, 2026: Four More Registrars Receive Termination Notices
Then, on May 29, 2026, ICANN sent formal termination notices to four additional registrars: Domus Enterprises LLC, Globis LLC, Overcasts Limited, and Wanyuhulian Technology Limited. These notices begin an enforcement cycle that could result in full termination within weeks. If you hold domains through any of these registrars, or any registrar you cannot confirm is ICANN-compliant, the time to investigate and initiate a transfer proactively is now – not after a forced termination announcement.
These registrar actions are not directly connected to the APT28 DNS hijacking attack, but they share the same underlying dynamic: domain owners are routinely the last to receive actionable warning when the infrastructure they depend on is under threat. Whether the cause is a GRU cyber operation or an ICANN compliance failure, both paths can lead to loss of domain control, service disruption, and exposure of contact information to parties who should not have it.
What This Reveals About Domain Owner Exposure
The GRU operation targeted routers rather than registrars, but the downstream risk for domain owners is direct. A successful DNS hijacking attack against the router serving a domain owner’s home office or small-business network can silently capture registrar login credentials, hosting account passwords, and domain control panel access tokens. Once those credentials are captured through forged DNS responses, initiating an unauthorized domain transfer or redirecting a legitimate site to phishing infrastructure becomes straightforward. The router-level attack and the registrar-level consequence are connected by a single credential interception event.
This attack chain mirrors patterns already documented in domain hijacking attacks targeting crypto users, where compromised registrar credentials were used to redirect legitimate domains to fraudulent wallet interfaces. The GRU DNS hijacking attack adds an upstream capture layer to that established threat chain – one that operates before any registrar-level security control can intervene.
The same period also produced serious authentication vulnerabilities at web hosting providers, reinforcing the consistent pattern: each layer of your web presence – registrar, DNS, and hosting – requires independent, ongoing security scrutiny, not a one-time setup.
The DNS Hijacking Attack Threat Reaches Far Beyond Nation States
APT28 generated the headlines, but the DNS hijacking attack technique they deployed is not proprietary to intelligence agencies. Criminal groups have used router-level DNS poisoning for years against banking customers and crypto users in high-value markets. The GRU campaign demonstrates that this attack model scales effectively against broad, non-specific targets. When a technique succeeds at national-intelligence scale, criminal operators take note – and consumer routers represent a large, soft, persistently unpatched target pool that shows no sign of shrinking.
Manufacturers ship routers, collect revenue, and provide firmware updates for limited windows. ISP-provided routers frequently run firmware that is years behind current patches, and most users have no mechanism to know this or any incentive to check. A DNS hijacking attack against a home router requires nothing more exotic than a known authentication bypass on a device that the owner trusts by default and rarely inspects. The scale and success of the GRU’s operation confirmed just how accessible that attack surface remains in 2026.
Periodically checking your domain’s DNS resolution with a DNS lookup tool is a basic hygiene step that costs nothing. Unexpected changes to your domain’s A, NS, or MX records can be an early indicator of a DNS hijacking attack in progress or a compromised registrar account – and catching those changes early is the difference between a contained incident and a full domain compromise.
What Domain Owners Should Do After This News
The NCSC and FBI advisories are clear about the steps that reduce router-based DNS hijacking attack exposure: update router firmware to the latest available version, replace all default admin credentials with strong unique passwords, disable remote management interfaces you are not actively using, and configure encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) on individual devices where possible. Encrypted DNS resolvers configured directly on end-user devices can bypass a router-level DNS hijacking attack in many configurations, because the device queries its trusted resolver over an encrypted channel independent of whatever DNS the router’s DHCP is distributing.
For your domain accounts specifically: enable registrar lock to block unauthorized transfer initiation, use app-based or hardware 2FA rather than SMS, and audit your NS and A records at regular intervals. Any unexplained record change should be treated as a potential DNS hijacking attack indicator until you can investigate it. MonstaDomains enables WHOIS privacy protection by default, keeping your personal contact details out of public WHOIS records and reducing the social-engineering surface available to attackers targeting your registrar account.
The Takeaway
The April 2026 APT28 DNS hijacking attack was exceptional in its scale and in the breadth of the joint institutional response it triggered – but the technique it used is neither novel nor restricted to state actors. Router-level DNS hijacking attack infrastructure is accessible to criminal groups, and the credentials it harvests translate directly into domain hijacking risk, hosting account compromise, and long-duration surveillance of sensitive communications. The GRU made the technique newsworthy; the underlying vulnerability has been sitting in unpatched consumer routers for years.
The May 2026 ICANN registrar termination notices add a second, independent risk layer. Domain owners who assume their registrar is stable and their DNS records are untouched are working from assumptions that 2026 has already disproven multiple times. Audit your router firmware, verify your registrar’s ICANN compliance status, and check your DNS records on a regular schedule – these are not advanced practices, they are baseline operational hygiene for anyone running a domain in the current threat environment.
If you want domain registration that does not expose your contact details from day one, register your domain with privacy built in from the start.
Top comments (0)