If you worked from home at any point over the past two years and logged in to your email or a cloud productivity platform like Microsoft 365, your credentials may have been silently intercepted by Russian military hackers who had already compromised your home router.
That is the core finding of coordinated advisories published by the UK National Cyber Security Centre (NCSC) and the U.S. Department of Justice. Both agencies attribute the operation to GRU Unit 26165, the Russian military intelligence division more widely known as APT28 or Forest Blizzard. The group altered DNS settings on consumer-grade routers so that every device on the network, including laptops, phones, and tablets, quietly routed web traffic through attacker-controlled servers. Anyone who entered a password or received an authentication token on a compromised network was at direct risk of credential theft.
How the attack worked
APT28 operators exploited known vulnerabilities in small-office and home-office (SOHO) routers to gain administrative access. Once inside, they changed the device’s DHCP and DNS configuration so that all connected devices automatically inherited rogue DNS resolvers controlled by the hackers.
The group then stood up virtual private server (VPS) infrastructure that acted as those rogue DNS servers. Rather than redirecting all web traffic and risking quick detection, the servers selectively resolved only domain names containing keywords associated with login pages, webmail portals, and cloud services. When a victim’s browser requested one of those domains, the rogue server returned an IP address owned by the attackers, placing them in an adversary-in-the-middle position where they could harvest usernames, passwords, and session tokens in real time.
The NCSC advisory describes the harvested data as including credentials from “webmail and other login services.” While the advisory does not name specific platforms, the technique would be effective against any browser-based login flow, including widely used services such as Microsoft 365, Google Workspace, and corporate single sign-on portals. A single compromised router could expose every person and device on that local network.
Which routers were targeted
One vulnerability specifically linked to the campaign is CVE-2023-50224, which affects the TP-Link TL-WR841N. According to the National Vulnerability Database, the flaw combines improper authentication with information disclosure, allowing an attacker to extract administrator credentials remotely without physical access to the device. The model is widely available at consumer price points, though the government advisories do not quantify its installed base.
It is worth noting that the NVD entry does not itself attribute exploitation of this CVE to APT28. That connection comes from contextual analysis and secondary reporting rather than from the government advisories directly. The TP-Link model should be understood as one confirmed attack surface, not the only one. The same DNS hijacking technique could be applied to any unpatched or weakly secured router that allows remote administration or still uses factory-default passwords.
The U.S. law enforcement response
The FBI and the Justice Department carried out a court-authorized technical operation to neutralize the U.S. portion of the compromised router network. Court filings from the Eastern District of Pennsylvania confirmed that GRU Unit 26165 exploited routers to steal device credentials, gained unauthorized access, and performed DNS redirection. The DOJ announced the disruption in early 2025, according to its public press release, though the underlying investigation spanned a longer period.
The disruption worked by temporarily redirecting traffic from the malicious DNS servers to infrastructure controlled by U.S. authorities, effectively cutting off the attackers’ ability to intercept queries routed through American soil. The rogue configurations were then dismantled. The UK government, for its part, published defensive guidance and formally attributed the campaign to Russian military intelligence.
What remains uncertain
Several important gaps remain in the public record as of May 2026:
Scale. Neither the NCSC nor the DOJ has published a count of compromised routers or confirmed victims. Some security commentators have suggested the number of affected devices could be in the thousands, but no official figure supports that estimate.
Specific targets. The NCSC describes the selectively resolved domains only in general terms, referencing queries related to login and email activity. It has not listed specific cloud providers or enterprise platforms, making it difficult for organizations to assess retroactively whether their services were disproportionately targeted.
Timeline. Public documents do not specify when APT28 first deployed this particular technique. CISA issued a joint advisory on Russian state-sponsored cyber threats in April 2022, but that document covers a broad spectrum of activity and predates the specific DNS hijacking method described by the NCSC. Whether this campaign overlapped with APT28’s earlier spear-phishing operations or represents a newer pivot remains unclear.
Ongoing risk. The DOJ operation targeted servers and routers reachable under U.S. jurisdiction. There is no public evidence that similar takedowns have occurred in other countries. Given the low cost of standing up fresh VPS infrastructure and scanning for vulnerable routers, it would be technically straightforward for the group to rebuild equivalent capabilities in jurisdictions less likely to cooperate with Western law enforcement.
Attribution methods. The attribution to GRU Unit 26165 is consistent across U.S. and UK agencies and rests on shared technical indicators, infrastructure overlaps with past operations, and coordinated government statements. The specific intelligence methods behind that attribution remain classified, and no open-source confirmation based on leaked documents or court testimony has surfaced as of May 2026.
What you should do now
For anyone working from a home or small-office network, the most important step is also the simplest: log in to your router’s admin panel and check whether the DNS settings have been manually changed. If they point to unfamiliar IP addresses, reset them to a trusted provider such as your ISP’s default servers, Cloudflare (1.1.1.1), or Google Public DNS (8.8.8.8).
Beyond that immediate check, basic router hygiene goes a long way:
- Update firmware. Manufacturers patch known vulnerabilities through firmware updates. If your router has not been updated in over a year, do it now.
- Change default credentials. Many routers ship with admin/admin or similar factory passwords. Replace them with something strong and unique.
- Disable remote administration. Unless you have a specific need to manage your router from outside your home network, turn this feature off.
- Watch for warning signs. Unexpected login prompts, browser certificate warnings, or repeated account lockouts can all indicate DNS manipulation.
- Report suspicious activity. The NCSC operates an incident reporting portal for UK users. In the U.S., reports can be filed through CISA or the FBI’s IC3. Timely reporting helps security agencies track and disrupt the next iteration of campaigns like this one.
The broader lesson is uncomfortable but important: the device most people never think about, the router blinking quietly in a corner, has become a frontline target for state-sponsored espionage. Keeping it patched and properly configured is no longer optional. It is as essential as locking your front door.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
