Russia’s GRU military intelligence — Unit 26165, tracked as APT28, Forest Blizzard, and Fancy Bear — operated a sustained DNS hijacking campaign that peaked at over 18,000 compromised SOHO routers across 120 countries in late 2025. On April 7 2026, the US Department of Justice announced Operation Masquerade: a court-authorised action that removed GRU DNS implants from US-based routers and restored legitimate resolver configurations across 23 states. The global campaign, however, remains active.
What Happened
APT28 exploited known vulnerabilities in SOHO routers from multiple vendors — the same router-compromise playbook refined across several prior operations — to implant malicious DNS configurations. Once installed, those configurations redirected victim DNS queries to GRU-controlled resolvers.
The attack’s specific objective was Microsoft 365 OAuth token interception. When a victim authenticated to Microsoft 365, the GRU resolver intercepted the OAuth token exchange at the DNS layer, capturing bearer tokens without defeating MFA at the application level. Tokens were collected from email, Teams, SharePoint, and OneDrive sessions; targeted organisations included government agencies, defence contractors, technology firms, and critical infrastructure operators across Europe, North America, and the Asia-Pacific region.
Why It Matters
The DNS-layer interception approach is particularly difficult to detect. Because tokens appeared to originate from the victim’s own ISP IP range, neither endpoint security tools nor Microsoft’s audit logs produced the anomalous sign-in alerts that typically flag credential theft. The attack does not defeat MFA — it intercepts the authentication artefact after MFA is satisfied, during the OAuth token exchange.
At 18,000 compromised routers, this represents a persistent, large-scale collection platform that operated below the detection threshold of most enterprise security programmes. Victims were concentrated in organisations using consumer-grade or unmanaged SOHO routers for home-working, branch-office, or remote-access connectivity.
Technical Context
APT28 is a Russian General Staff (GRU) unit responsible for the 2016 US election interference operations, the NotPetya supply chain component, and numerous NATO state espionage campaigns. Operation Masquerade is the third DOJ router-focused disruption in three years, following the Volt Typhoon KV Botnet takedown (January 2024) and an earlier APT28 operation in 2023. The recurring pattern confirms that SOHO network infrastructure has become a preferred pre-positioning layer for state actors — operating in the gap between corporate IT management and consumer-grade support.
Recommended Actions
- Audit home and branch-office DNS configurations for employees with VPN or M365 remote access — confirm resolvers match expected ISP or corporate DNS settings, not unfamiliar IP addresses.
- Revoke OAuth sessions and rotate tokens for users whose home or branch routers may have been exposed; use Microsoft Entra ID’s bulk “Revoke Sessions” capability and force re-authentication.
- Enforce Conditional Access policies requiring compliant devices or named locations before issuing tokens — Continuous Access Evaluation (CAE) makes device-code flow interception significantly harder.
- Review M365 audit logs for anomalous OAuth application grants, legacy app registrations, and access patterns from unusual IP ranges over the past six months.
- Replace end-of-life SOHO routers used for remote or branch connectivity — prioritise devices with no vendor security updates in the past 24 months.
- Deploy network-level DNS filtering (e.g. Cisco Umbrella, Cloudflare Gateway) for all VPN-connected users to prevent resolver manipulation before DNS queries leave the device.
Share this article