Originally published at https://monstadomains.com/blog/router-dns-hijacking/
If you run a website, operate a domain, or use the internet at home or at work, router DNS hijacking is not a future risk. It is happening right now, at global scale. In early April 2026, Microsoft, the FBI, the UK’s National Cyber Security Centre, and the U.S. Department of Justice all published coordinated warnings about an active router DNS hijacking campaign conducted by APT28 – Russia’s military intelligence directorate. At its peak, the operation had infected 18,000 devices across 120 countries. Governments, law enforcement, IT providers, and private businesses were all targeted. This is state-sponsored surveillance routed through your own network hardware, running undetected since at least August 2025.
What the APT28 Campaign Reveals About Router DNS Hijacking
The campaign is attributed to APT28 – a threat group linked to the Russian GRU and tracked by Microsoft as Forest Blizzard, with a sub-group designated Storm-2754. According to Microsoft’s April 7 security advisory, the attackers gained remote administrative access to small office/home office (SOHO) routers and reconfigured them to use DNS resolvers under attacker control. Every DNS lookup made through that router – for email, login pages, corporate portals – then passed through infrastructure owned by Russian military intelligence. The router DNS hijacking happened silently, with no error messages, no browser warnings, and no performance change to signal that anything was wrong.
The IC3 advisory published simultaneously by the FBI confirmed that the goal was not passive interception alone. APT28 used the compromised DNS resolvers to launch adversary-in-the-middle (AiTM) operations against Microsoft Outlook on the web domains, redirecting login attempts to attacker-controlled credential-capture pages. The UK NCSC corroborated these findings, noting that the group had been exploiting this access to enable large-scale traffic interception across multiple countries. This is patient, systematic intelligence collection using home and office routers as the collection point – and for months, it went undetected.
How the Attack Chain Compromises Your DNS
From SOHO Router to DNS Server Control
The mechanics behind this router DNS hijacking variant are straightforward, which is precisely what makes it effective at scale. Attackers identify SOHO routers running outdated firmware – consumer-grade hardware from manufacturers including D-Link and TP-Link has been frequently targeted in similar operations. They exploit known, unpatched vulnerabilities to gain remote administrative access, then modify the router’s DNS server configuration to point toward attacker-controlled resolvers. From that point forward, every device on that network uses compromised DNS. Laptops, phones, and smart devices continue operating normally while every domain name query passes through foreign intelligence infrastructure.
Adversary-in-the-Middle: Capturing Credentials at Scale
Once DNS resolution is under attacker control, the second phase begins. Microsoft documented adversary-in-the-middle attacks against Microsoft 365 login pages, where users attempting to authenticate were redirected to credential-capture servers. The DNS lookup for the legitimate Microsoft login page returned a malicious IP address. If the attacker had obtained a valid TLS certificate for the spoofed domain – a realistic step given the state-level resources involved – users would see no certificate error. The result is large-scale credential theft with no visible sign of compromise. Scale that across 18,000 infected routers in 120 countries and the intelligence value becomes significant.
CoW Swap and the Router DNS Hijacking Pattern
On April 14, 2026, decentralised exchange CoW Swap warned users to stay away from its platform after attackers hijacked the platform’s DNS records and redirected visitors from the legitimate site. This was not router DNS hijacking at the user level – it was an attack on the DNS zone that controls where the CoW Swap domain resolves. But the outcome for users was identical: connecting to a familiar URL and arriving at attacker-controlled infrastructure, with no obvious warning. CoW Swap paused its platform while the team worked to restore legitimate DNS resolution.
The CoW Swap breach illustrates something often lost in technical coverage: router DNS hijacking and domain-level DNS hijacking are two sides of the same threat. In the APT28 campaign, the attacker controls the resolver – the intermediary that translates domain names into IP addresses. In the CoW Swap breach, the attacker controlled the DNS records of the domain itself. Either way, users end up somewhere they did not intend to go. Domain owners who focus only on router security while ignoring their registrar’s security posture are solving half of the problem.
How the FBI and DOJ Dismantled the GRU Router Network
On April 7, the U.S. Department of Justice and the FBI announced they had disrupted the GRU’s network of compromised routers used to facilitate router DNS hijacking operations globally. The operation involved coordinating with internet service providers and, in some cases, executing court-authorised remote access to infected devices to remove attacker configurations. This mirrors the FBI’s approach to the Volt Typhoon router botnet disruption in early 2025, and signals that law enforcement has developed an operational playbook for this category of infrastructure-level intervention. The disruption is a setback for APT28, not a permanent resolution of the underlying vulnerabilities.
According to IDC research cited alongside the FBI’s disclosure, DNS attack costs surged 49% year-over-year, with the average incident in the U.S. now costing $1.27 million when factoring in investigation, remediation, downtime, and reputational damage. The Hacker News reported additional technical detail on the campaign’s infrastructure and target selection. For individual website owners and small businesses, a router DNS hijacking attack that redirects users to a malicious version of their site carries costs that do not appear neatly in aggregate figures – lost customer trust, regulatory scrutiny, and potential liability among them.
Why Domain Owners Are Exposed to Router DNS Hijacking
Most coverage of the APT28 campaign focuses on individual users whose routers were compromised. But domain owners and website operators face a distinct and equally serious risk from router DNS hijacking that receives far less attention. Your domain’s DNS records determine where your website, email, and subdomains resolve globally. If an attacker gains control of those records – through your registrar account or by compromising your DNS provider – they can redirect all traffic associated with your domain without touching a single router. The router DNS hijacking campaign and the CoW Swap breach belong to the same threat category, separated only by which layer of the chain the attacker controls.
This risk compounds when registrar account security is weak. APT28’s credential-capture operations produced a large pool of potentially valid logins across many services. If any of those credentials unlock a domain registrar account, the attacker can modify DNS records directly – achieving the same outcome as a router-level compromise with no hardware access required. Understanding how domain hijacking protection works at the registrar level is not optional for anyone operating a domain in 2026. Your registrar’s account security matters as much as your router’s firmware version.
What Domain Owners Should Do After This Router DNS Hijacking Wave
The UK NCSC, Microsoft, and the FBI all published specific guidance in their April 7 advisories, tied directly to the APT28 attack vector. Start by updating your SOHO router firmware – the attack chain in every advisory begins with an unpatched vulnerability. Change your router’s admin credentials from the factory defaults that APT28 exploited for initial access. Then verify your router’s current DNS server settings and confirm they point to resolvers you recognise and trust. An unfamiliar IP address configured as your primary DNS server should be treated as a confirmed compromise – reset the device to factory defaults and reconfigure from a clean state.
For domain owners, the CoW Swap incident offers the clearest lesson. Removing your personal data from the public record directly counters the social engineering component of credential-theft campaigns. WHOIS privacy protection removes your contact details from the public WHOIS database, cutting off a primary data source attackers use to build phishing profiles and bypass account recovery processes. Pair that with registry locks where your registrar supports them, and enable multi-factor authentication on every account that has access to your DNS settings.
Monitoring your DNS records for unexpected changes is a practical habit that would have caught both the APT28 router DNS hijacking vector and the CoW Swap domain-level attack at an earlier stage. Use a DNS lookup tool to verify your domain’s current resolution regularly and compare it against what you configured. A record change you did not authorise is an active compromise to investigate – not a configuration error to dismiss.
The Takeaway
The April 2026 router DNS hijacking campaign attributed to APT28 matters for two reasons. First, it confirms that state-sponsored actors are actively exploiting home and office network hardware to intercept traffic at scale – 18,000 devices across 120 countries is a dragnet, not a targeted operation. Second, the simultaneous CoW Swap breach demonstrates that router DNS hijacking and DNS zone-level attacks belong to the same threat landscape. Wherever you sit in that chain – as a user, a domain owner, or both – your DNS infrastructure is a high-value target that requires active and ongoing defence.
The FBI disruption is a temporary setback for APT28, not a resolution of the underlying vulnerabilities that made the campaign possible. Unpatched SOHO routers will continue to be exploited by state and criminal actors alike. For domain owners looking to reduce their attack surface, MonstaDomains provides private domain registration with zero KYC requirements and built-in WHOIS protection – eliminating the personal data that makes the social engineering component of campaigns like APT28’s viable in the first place.
