Russia's GRU APT28 Hijacked TP-Link Routers to Steal Microsoft 365 Credentials
Contents
On April 7, 2026, the FBI/DOJ announced the neutralization of “Operation Masquerade,” a campaign in which Russia’s GRU had been DNS-hijacking TP-Link routers worldwide. The UK NCSC published a technical advisory on APT28 the same day.
This is the second case of TP-Link routers being used in nation-state attacks, following Flax Typhoon (China) — this time with Russia’s GRU at the helm. Home routers serving as infrastructure for state-sponsored cyberattacks is no longer exceptional; it’s becoming the norm.
The Attacker: APT28 / Fancy Bear / Forest Blizzard
The attack was carried out by APT28, part of the GRU’s 85th Special Service Center (Military Unit 26165). Also tracked as Fancy Bear, Forest Blizzard, Sofacy, Pawn Storm, and Storm-2754 — Russia’s official cyber unit.
Lumen Black Lotus Labs named this campaign “FrostArmada” and identified two operational teams within the unit.
| Team | Role |
|---|---|
| Expansion team | Device compromise and botnet growth |
| Collection team | AitM (Adversary-in-the-Middle) operations and credential theft |
What Happened
APT28 compromised internet-exposed TP-Link and MikroTik SOHO routers and tampered with their DNS settings, routing all traffic from devices behind the router through GRU-controlled DNS resolvers.
The targets were Microsoft Outlook/365 domains. By spoofing DNS responses to redirect traffic to GRU AitM nodes, they intercepted OAuth tokens and passwords.
No malware was used. By abusing the router’s own DHCP/DNS functionality to intercept and redirect traffic, the attack was extremely difficult to detect with traditional malware scanning.
Intercepted Domains
autodiscover-s.outlook.comimap-mail.outlook.comoutlook.live.comoutlook.office.comoutlook.office365.com
Affected TP-Link Models
Models listed in the NCSC advisory.
| Series | Models |
|---|---|
| WR8xx | TL-WR841N, WR841HP, WR842N, WR842ND, WR845N, WR840N |
| WR9xx | TL-WR941ND, WR945N |
| WR7xx | TL-WR740N, WR749N |
| WR10xx | TL-WR1043ND, WR1045ND |
| WDR | TL-WDR3500, WDR3600, WDR4300 |
| MR | TL-MR3420, MR6400 |
| Archer | Archer C5, C7 (EU version) |
| AP | TL-WA801ND, WA901ND |
MikroTik routers (particularly those used in Ukraine), Nethesis firewalls, and legacy Fortinet devices were also targeted.
Technical Details
Exploited Vulnerabilities
Two CVEs were chained together.
| CVE | Target | CVSS | Description |
|---|---|---|---|
| CVE-2023-50224 | TL-WR841N | 6.5 | Auth bypass in the httpd service (TCP 80). Credentials can be retrieved unauthenticated from /tmp/dropbear/dropbearpwd |
| CVE-2025-9377 | Archer C7(EU) V2, TL-WR841N/ND(MS) V9 | 8.6 | OS command injection via the Parental Control page. RCE possible after authentication |
CVE-2023-50224 steals admin credentials, then CVE-2025-9377 achieves command execution to rewrite DNS settings.
Attack Chain
graph TD
A[Scan for internet-exposed<br/>SOHO routers] --> B[CVE-2023-50224<br/>Retrieve admin password<br/>via unauthenticated HTTP request]
B --> C[Log in to router<br/>admin panel with<br/>stolen credentials]
C --> D[CVE-2025-9377<br/>OS command injection<br/>via Parental Control]
D --> E[Tamper DNS/DHCP settings<br/>Point to GRU-controlled<br/>DNS resolvers]
E --> F[All devices behind router<br/>inherit malicious DNS<br/>settings via DHCP]
F --> G[Redirect Outlook domain<br/>requests to AitM nodes]
G --> H[Intercept OAuth tokens<br/>and passwords from users<br/>who ignore TLS warnings]The key point: rather than planting malware on the router, the attackers simply changed legitimate DHCP/DNS configuration. The router continues to operate normally, making it extremely difficult for users to notice anything wrong.
TLS certificate warnings appeared because the GRU didn’t possess valid server certificates. In other words, users who didn’t ignore certificate warnings were not affected.
GRU Infrastructure Characteristics
VPS indicators identified by Black Lotus Labs.
| Cluster | Banner Pattern |
|---|---|
| Cluster 1 | SSH on TCP 56777, dnsmasq-2.85 on UDP 53 |
| Cluster 2 | SSH on TCP 35681, dnsmasq-2.85 (selective) |
Over 100 VPS IP addresses were confirmed, concentrated mainly in the 5.226.137.x, 37.221.64.x, 77.83.197.x, 79.141.x.x, and 185.237.166.x ranges.
Impact
| Item | Details |
|---|---|
| Peak | December 2025: 18,000+ unique IPs across 120+ countries communicating with APT28 infrastructure |
| Affected organizations | 200+ (Microsoft analysis) |
| Affected devices | 5,000+ |
| Targeted sectors | Foreign ministries, law enforcement, military organizations, critical infrastructure operators, IT/hosting providers |
| Geographic distribution | Worldwide, concentrated in North Africa, Central America, Southeast Asia, and Europe |
Timeline
| Date | Event |
|---|---|
| 2024 | GRU begins indiscriminate compromise of TP-Link routers |
| May 2025 | FrostArmada campaign begins limited operations |
| August 2025 | Large-scale router compromise and DNS redirection ramps up. UK NCSC publishes Forest Blizzard toolset report |
| September 2025 | CISA adds CVE-2023-50224 and CVE-2025-9377 to KEV (Known Exploited Vulnerabilities) catalog |
| December 2025 | Peak. 18,000+ IPs across 120+ countries communicating with APT28 infrastructure |
| March 2026 | Infrastructure neutralized. FCC announces import ban on foreign-made routers |
| April 7, 2026 | DOJ/FBI discloses Operation Masquerade neutralization. UK NCSC, FBI, and IC3 issue advisories simultaneously |
Operation Masquerade: FBI Remote Remediation
With court authorization, the FBI remotely sent commands to compromised routers within the United States and performed the following remediation:
- Forensic data collection
- DNS settings reset (removed GRU DNS resolvers, restored ISP default DNS)
- Disabled GRU’s unauthorized access methods
Normal router functionality was unaffected. Users can revert at any time using the hardware reset button.
Participating agencies included the FBI, NSA, Germany (BfV/BND), Italy (AISE/AISI), Canada, Czech Republic, Denmark, Estonia, Finland, Latvia, Lithuania, Norway, Poland, Portugal, Romania, Slovakia, Ukraine, and others.
FCC Foreign Router Import Ban
On March 23, 2026, the FCC decided to ban new imports and sales of foreign-made routers, primarily targeting Chinese manufacturers like TP-Link, which account for more than one-third of the US consumer router market.
- Existing devices remain usable
- Software updates permitted until March 1, 2027
- Justification based on Volt Typhoon, Flax Typhoon, Salt Typhoon, and the APT28 campaign
CISA also added CVE-2023-50224 and CVE-2025-9377 to the KEV catalog in September 2025 and ordered federal agencies to remediate by September 24, 2025.
TP-Link’s Response
TP-Link stated it “takes the threat of cyberattacks on network devices very seriously.” The affected models are EoL (end-of-life) products, but TP-Link released exceptional patch firmware.
TP-Link emphasized that “this exploit chain is only exploitable when the remote management interface is exposed to the internet, which is disabled by default.” However, the reality is that 18,000+ devices had been modified from the default configuration, as this incident revealed.
Lineage of State-Sponsored Attacks Targeting SOHO Routers
This isn’t the first time TP-Link routers have been used in state-sponsored attacks.
| Campaign | Attribution | Description |
|---|---|---|
| KV Botnet / Volt Typhoon | China | Built a botnet primarily from EoL Cisco/Netgear routers. Pre-positioned for US critical infrastructure attacks. Rebuilt after FBI neutralization in 2024 |
| Flax Typhoon | China | Botnet centered on hundreds of thousands of TP-Link routers. Used for DDoS, credential spraying (trying massive combinations of IDs and passwords), and anonymous proxying. Reported by Microsoft in October 2024 |
| FrostArmada / APT28 | Russia | This incident. AitM attack via DNS tampering on TP-Link/MikroTik routers. 2024-2026 |
SOHO routers are always on, rarely patched, and compromises go unnoticed. They’re ideal staging points for nation-state attackers.
Countermeasures
For Individual Users
- Factory reset your router and verify DNS settings have reverted to ISP defaults
- Update to the latest firmware
- Disable the remote management interface (disabled by default, but verify)
- Change the default admin password
- Replace EoL routers with newer models
- Never ignore TLS certificate warnings (the GRU’s AitM didn’t have valid certificates — not ignoring warnings would have prevented the attack)
For Organizations
- Implement certificate pinning via MDM (Mobile Device Management)
- Remove EoL network equipment
- Deploy monitoring for DNS configuration changes
- Consider implementing DNSSEC
- Minimize internet exposure of management interfaces
What makes this attack particularly nasty is that it succeeds using only legitimate router features — no malware needed. The assumption “my router is working normally = it’s safe” doesn’t hold. If you’re using an affected model, update the firmware and verify your DNS settings. EoL devices are due for replacement.
Related Articles
APT28 was running multiple concurrent attacks during the same period beyond this router campaign.
- APT28 Exploited MSHTML Zero-Day CVE-2026-21513, Unpatched Until February A Windows MSHTML zero-day exploited since January 2026. Uses LNK files to bypass Mark-of-the-Web and execute code outside the sandbox. A completely different attack vector from the router compromise, but another weapon APT28 was using concurrently.
- 4 Critical Vulnerabilities Added to CISA KEV Among vulnerabilities added to the KEV catalog in February 2026, the Roundcube 10-year dormant RCE was one APT28 had previously targeted in campaigns against European government agencies. CVE-2023-50224 and CVE-2025-9377 used in this TP-Link router compromise were also added to KEV in September 2025.