Originally published at https://monstadomains.com/blog/dns-hijacking-attack/
On April 7, 2026, the U.S. Department of Justice confirmed it had disrupted a large-scale DNS hijacking attack network operated by Russia’s GRU military intelligence unit, better known to the security community as APT28. The campaign had been running across thousands of compromised home and office routers since at least August 2025 – intercepting DNS traffic, stealing credentials, and redirecting victims to attacker-controlled servers without triggering a single user-facing alert. This was not a warning about a theoretical threat. This was a real, active DNS hijacking attack targeting military personnel, government employees, and critical infrastructure workers around the globe.
DOJ Disrupts a DNS Hijacking Attack Network Linked to Russian Military
The Justice Department’s April 7 announcement detailed how GRU Military Unit 26165 had been running a sophisticated DNS hijacking attack campaign from inside compromised SOHO routers – the small office and home office devices that power millions of residential and small business networks. A federal court authorized the FBI to access and neutralize the malicious DNS configurations planted on hundreds of U.S.-based routers as part of a coordinated action involving allied law enforcement agencies and private sector partners.
What made this DNS hijacking attack particularly effective was its design for invisibility. Victims had no indication their routers had been compromised. DNS queries appeared to resolve correctly. Websites loaded as expected. But behind the scenes, APT28 had rewritten each router’s DNS settings to route all traffic through attacker-controlled servers before passing it on to the legitimate destination. Everything looked normal from the victim’s side because it was supposed to.
APT28 is the GRU unit responsible for the 2016 Democratic National Committee breach and sustained intrusion campaigns against European government targets. This DNS hijacking attack campaign is consistent with the group’s established pattern of sustained, low-visibility intelligence collection – building access quietly over months rather than staging operations that draw immediate attention.
How the DNS Hijacking Attack on SOHO Routers Worked
APT28 targeted widely used consumer and small business routers by exploiting known but unpatched firmware vulnerabilities. Once inside a device, they replaced the router’s legitimate DNS server addresses with their own GRU-controlled alternatives. Every DNS query made from that network – every request to resolve a domain name into an IP address – now passed through Russian military infrastructure before resolution. The attackers had full visibility into which sites the victim was accessing, and the ability to silently redirect specific queries to attacker-controlled destinations.
SOHO Routers as the Attack Entry Point
The choice of SOHO devices as the entry point for this DNS hijacking attack was calculated. These routers are notoriously under-maintained, rarely receive firmware updates, and sit in environments with no dedicated security monitoring. An employee working from home, a journalist filing a story over residential broadband, a researcher connecting through a small business network – all of them could be routing every DNS query through a GRU wiretap without knowing it. According to the DOJ, the campaign compromised thousands of routers across the United States and allied nations before the disruption was authorized.
Adversary-in-the-Middle: Stealing Credentials Mid-Transit
Once DNS traffic was flowing through attacker-controlled infrastructure, the next stage of the DNS hijacking attack was impersonation. APT28 built fraudulent versions of commonly used services – including email portals and authentication pages used by military and government personnel. When a victim attempted to log into one of these mimicked platforms, their credentials and session tokens were captured before being silently passed along to the real service. The victim logged in successfully. The GRU left with their password and an active session token.
What GRU Hackers Were Actually After
According to the FBI and DOJ, the primary targets of this DNS hijacking attack included U.S. military personnel, federal government employees, and workers at organizations in critical infrastructure sectors including energy, transportation, and communications. The attackers were collecting usernames, passwords, authentication tokens, and in some cases unencrypted email content intercepted in transit between the victim’s device and the real destination server.
The operation was built for sustained, quiet access – not for spectacle. By intercepting credentials through a DNS hijacking attack rather than breaking into systems directly, APT28 avoided many of the detection mechanisms that enterprise security teams rely on. A DNS-layer interception does not install malware on the victim’s machine. It does not trigger antivirus alerts. It does not generate unusual log entries on the target system. It simply redirects your traffic before you can see where it is going.
Microsoft and FBI Corroborate the GRU Campaign
Microsoft’s threat intelligence team published corroborating findings on the same day as the DOJ announcement. According to the Microsoft Security Blog, the Forest Blizzard campaign – its internal name for APT28 – had been active since at least August 2025, making this one of the most sustained DNS-layer intrusion operations the company had tracked from a state-sponsored actor. Microsoft noted that the group had specifically moved attack infrastructure into trusted residential and small business IP ranges to avoid detection based on suspicious origin addresses.
The FBI’s Internet Crime Complaint Center issued a parallel advisory urging router owners to inspect their DNS configuration settings directly. The advisory noted that a DNS hijacking attack of this type is difficult to detect without physically logging into the router’s admin panel – something most home and small business users have never done. The FBI also warned that devices in countries outside the United States not covered by the court order may still be running with compromised DNS settings.
Why This DNS Hijacking Attack Matters for Domain Owners
If you manage a domain, run a website, or administer any online infrastructure from a home or small office network, this story is directly relevant to you. A DNS hijacking attack at the router level can intercept traffic related to your domain registrar login, your DNS management interface, your hosting control panel, and your email account. When a compromised DNS environment redirects your registrar login page to a fake version and captures your credentials, the attacker does not need to breach your registrar’s systems – they just need to wait for you to log in from an affected network.
It also raises a harder question about the relationship between network security and domain privacy. If the DNS infrastructure between you and your registrar can be subverted by a state-sponsored DNS hijacking attack, then which registrar holds your real identity in its database becomes urgent. A credential theft through this type of attack is not just a login problem when your registrar stores your real name, address, and payment details – it becomes an identity exposure event. You can run a DNS lookup check on your domains at any time to confirm your records resolve to the correct servers – a basic verification that nothing has been silently redirected.
The Electronic Frontier Foundation has long argued that DNS-level manipulation is one of the most underappreciated threats to internet privacy, noting that most users have no mechanism to detect when their DNS queries are being intercepted or altered. This GRU campaign confirms that concern with unusually specific, documented evidence.
The Scale and Persistence of This DNS Hijacking Attack
One detail from the DOJ announcement deserves attention: the campaign had been running since at least August 2025, giving APT28 more than seven months of undetected access to thousands of devices before the court-authorized disruption. That longevity is not an accident. A DNS hijacking attack designed to blend into ordinary traffic has no reason to announce itself. The attackers could keep collecting credentials for as long as the compromised routers stayed online and unpatched – and there is no indication that any of the victims knew their devices were compromised before the FBI acted.
The disruption neutralized the malicious DNS configuration on identified U.S.-based routers, but the DOJ acknowledged that the broader infrastructure used in this DNS hijacking attack has not been fully dismantled. Devices in other jurisdictions, and potentially some U.S. devices not covered by the court order, may still be affected.
What Domain Owners Should Do Right Now
The FBI’s advisory following the disruption included a clear request: check your router’s DNS settings. Log into your router’s admin panel – typically accessible at 192.168.1.1 or 192.168.0.1 – and verify that the DNS server addresses listed match your ISP’s assigned servers or the DNS providers you intentionally configured. Unfamiliar IP addresses in those fields are a serious red flag. If you find them, treat the device as compromised: reset it to factory settings, update its firmware, and change the admin password if you have never done so.
On the domain management side, enable two-factor authentication on your registrar account now. Add WHOIS privacy protection if your registrar account currently exposes your real identity – because if a DNS hijacking attack captures your registrar credentials, what an attacker finds on the other side of that login matters enormously. For a deeper look at how these device-level exploits unfold technically, the router DNS hijacking breakdown we published earlier covers the specific vulnerability patterns involved and what mitigation looks like at the network layer.
The Takeaway
The DOJ’s disruption of APT28’s DNS hijacking attack network is one of the clearest public confirmations yet that state-sponsored actors are actively targeting everyday network infrastructure – not just government systems. The campaign ran undetected for over seven months, compromised thousands of devices, and intercepted credentials from high-value targets without generating a single user-facing alert. The scale of it suggests that the individuals most at risk are those who have never checked whether their router’s DNS settings have been quietly altered.
The structural lesson here is simple: your domain security extends to the network you manage it from. A DNS hijacking attack does not need to breach your registrar if it can intercept your login first. Keeping your router firmware updated, reviewing your DNS records regularly, and choosing a registrar that does not hold unnecessary identity data are all part of the same operational discipline. If reducing your exposure is the goal, registering your domain with MonstaDomains means your account holds zero KYC data – less to lose if a credential theft ever does reach the other side.
Top comments (0)