Russian-linked APT28 has been exploiting vulnerable SOHO routers, notably TP-Link devices, to carry out large-scale DNS hijacking and adversary-in-the-middle operations that intercept communications and harvest credentials. The U.S. Department of Justice and FBI executed a court-authorized disruption, Operation Masquerade, to neutralize the compromised router network and restore legitimate DNS settings while urging firmware updates and other mitigations. #APT28 #TPLink
Keypoints
- APT28 has leveraged router vulnerabilities to perform DNS hijacking and enable adversary-in-the-middle attacks.
- The campaign targeted Microsoft Outlook-related domains to harvest emails, passwords, and authentication tokens.
- Attackers exploited known flaws such as CVE-2023-50224 to extract credentials and modify router DNS configurations.
- The FBI’s Operation Masquerade remotely collected evidence, reset DNS settings, and blocked actor access on affected devices.
- Authorities recommend replacing unsupported routers, updating firmware, verifying DNS settings, disabling remote management, and enabling MFA.
Read More: https://thecyberexpress.com/apt28-dns-hijacking-fbi/