Threat Research

Threat Intelligence Report: Russia, Router, DNS, and Messaging-Layer Collection Operations

DTIdomain
Threat Intelligence Report: Russia, Router, DNS, and Messaging-Layer Collection Operations
Russian intelligence-linked operations are increasingly focused on communications-layer collection, using compromised SOHO routers, DNS hijacking, and phishing against Signal, WhatsApp, Telegram, and Microsoft 365. These campaigns are attributed largely to the Russian GRU’s Unit 26165 (APT28/Fancy Bear/Forest Blizzard) and target government, defense, critical infrastructure, journalists, NGOs, and Ukraine-related organizations for persistent access and intelligence gathering. #APT28 #FancyBear #ForestBlizzard #Unit26165 #Signal #WhatsApp #Telegram #Microsoft365

Keypoints

  • Russian operators are prioritizing quiet, long-term intelligence collection over destructive activity.
  • Compromised SOHO routers are being used for DNS hijacking, adversary-in-the-middle collection, and credential interception.
  • The router activity is attributed to the Russian GRU’s Unit 26165, tracked as APT28, Fancy Bear, and Forest Blizzard.
  • Messaging-platform targeting extends to Signal, WhatsApp, Telegram, and Microsoft 365, including linked-device abuse and OAuth phishing.
  • Victims of highest interest include government, military, defense, critical infrastructure, telecom, journalists, NGOs, researchers, and Ukraine-linked groups.
  • Microsoft, FBI, CISA, DOJ, Google, Volexity, and other reporting indicate broad-scale compromise with selective follow-on targeting.
  • Defensive guidance emphasizes router hardening, linked-device review, phishing-resistant MFA, and tighter control of OAuth and remote access.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Vulnerable SOHO and TP-Link routers were exploited to gain initial access [‘Exploitation of vulnerable SOHO and TP-Link routers’]
  • [T1566 ] Phishing – Messaging-app phishing and OAuth lure delivery were used to obtain access [‘Messaging-app phishing and OAuth lure delivery’]
  • [T1566.002 ] Spearphishing Link – Malicious OAuth and device-code URLs were delivered to victims [‘Delivery of malicious OAuth/device-code URLs’]
  • [T1078 ] Valid Accounts – Compromised messaging and cloud accounts were abused for continued access [‘Abuse of compromised messaging and cloud accounts’]
  • [T1204 ] User Execution – Victims interacted with QR codes and phishing links to enable compromise [‘Victim interaction with QR codes and phishing links’]
  • [T1098 ] Account Manipulation – Linked devices were added to Signal accounts for persistence [‘Addition of linked devices to Signal accounts’]
  • [T1133 ] External Remote Services – Compromised cloud identities were used to maintain access [‘Continued access through compromised cloud identities’]
  • [T1556 ] Modify Authentication Process – OAuth workflow abuse and session persistence were leveraged [‘OAuth workflow abuse and session persistence’]
  • [T1548 ] Abuse Elevation Control Mechanism – Router administrative compromise and configuration changes elevated control [‘Router administrative compromise and configuration manipulation’]
  • [T1090 ] Proxy – DNS and adversary-in-the-middle proxy routing was used to steer traffic [‘DNS and AiTM proxy routing’]
  • [T1562 ] Impair Defenses – The actors operated outside enterprise EDR visibility [‘Operating outside enterprise EDR visibility’]
  • [T1557 ] Adversary-in-the-Middle – TLS interception and DNS redirection enabled interception of traffic [‘TLS interception and DNS redirection’]
  • [T1649 ] Steal or Forge Authentication Certificates – Fraudulent or invalid TLS certificates were used to enable interception [‘Use of fraudulent/invalid TLS certificates’]
  • [T1056 ] Input Capture – Credentials were intercepted via redirected authentication flows [‘Credential interception via redirected authentication flows’]
  • [T1555 ] Credentials from Password Stores – Stored or synced credentials were intercepted [‘Interception of stored or synced credentials’]
  • [T1046 ] Network Service Discovery – DNS visibility was used for reconnaissance [‘Reconnaissance through DNS visibility’]
  • [T1016 ] System Network Configuration Discovery – Resolver and network settings were observed [‘Observation of network and resolver configurations’]
  • [T1589 ] Gather Victim Identity Information – Contact lists and identity relationships were collected [‘Collection of contact lists and identity relationships’]
  • [T1590 ] Gather Victim Network Information – DNS and routing visibility were collected [‘DNS and routing visibility collection’]
  • [T1114 ] Email Collection – Outlook Web Access traffic was intercepted [‘Interception of Outlook Web Access traffic’]
  • [T1123 ] Audio Capture – Communication workflows could support audio-related collection [‘Potential collection through compromised communication workflows’]
  • [T1213 ] Data from Information Repositories – Cloud-hosted communications were accessed [‘Access to cloud-hosted communications’]
  • [T1113 ] Screen Capture – Follow-on account monitoring activities could include screen capture [‘Potential follow-on account monitoring activities’]
  • [T1530 ] Data from Cloud Storage – Microsoft 365 and cloud-message access enabled collection [‘Microsoft 365 and cloud-message access’]
  • [T1071 ] Application Layer Protocol – DNS and HTTPS were used for communications [‘DNS- and HTTPS-based communications’]
  • [T1573 ] Encrypted Channel – TLS/HTTPS transport protected communications [‘Use of TLS/HTTPS transport’]
  • [T1568 ] Dynamic Resolution – Actor-controlled DNS infrastructure supported routing and redirection [‘Actor-controlled DNS infrastructure’]
  • [T1567 ] Exfiltration Over Web Service – Cloud-account data access and exfiltration occurred through web services [‘Cloud-account data access and exfiltration’]
  • [T1498 ] Network Denial of Service – Router control may provide latent disruptive capability [‘Potential latent capability through router control’]
  • [T1574 ] Hijack Execution Flow – DNS response manipulation redirected traffic [‘DNS response manipulation and traffic redirection’]

Indicators of Compromise

  • [Threat actor aliases ] Russian GRU-linked cluster referenced in the report – APT28, Fancy Bear, Forest Blizzard, and Unit 26165
  • [Organizations/services targeted ] Messaging and cloud platforms abused for collection – Signal, WhatsApp, Telegram, Microsoft 365, and Outlook Web Access
  • [Device/vendor references ] Compromised edge devices mentioned in the campaign – TP-Link devices, SOHO routers
  • [Time references ] Reported campaign duration and warning period – August 2025, April 2026, March 2026
  • [Scale indicators ] Broad compromise described by researchers and agencies – more than 18,000 IPs, more than 200 organizations, 5,000 consumer devices

Read more: https://dti.domaintools.com/research/threat-intelligence-report-russia-router-dns-and-messaging-layer-collection-operations

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint