IN a new advisory, according to NCSC, APT28, a cyber group linked to Russia’s GRU Military Unit 26165, has been exploiting vulnerabilities in edge network devices to conduct DNS hijacking operations. The group, also known as Fancy Bear and Forest Blizzard, has been compromising routers worldwide, including TP-Link devices, by changing DHCP and DNS settings to use actor-controlled resolvers and capture lookups for all domain names.
The GRU has harvested passwords, authentication tokens, and sensitive information, enabling adversary-in-the-middle attacks against encrypted traffic and potentially exposing emails and web browsing data normally protected by SSL/TLS. Since at least 2024, these actors have targeted military, government, and critical infrastructure, with the U.S. DOJ and FBI recently disrupting a network of compromised SOHO routers used to facilitate the DNS hijacking.
The IC3 public service announcement, issued on 07 April 2026, describes the operation and urges users to upgrade devices, apply firmware updates, change default credentials, and review certificate warnings in browsers and email clients.