A significant espionage network orchestrated by Russian state-sponsored hackers, known as APT28 or Fancy Bear, has been dismantled by U.S. authorities. The group had compromised over 18,000 routers in more than 120 countries, exploiting known vulnerabilities to gain unauthorized access to sensitive networks. This operation, dubbed Forest Blizzard, was attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165.

The attackers hijacked domain name system (DNS) settings and stole credentials through adversary-in-the-middle attacks, targeting domains that mimicked legitimate services like Microsoft Outlook Web Access. This allowed them to intercept passwords and tokens for Microsoft accounts and other cloud-hosted services. The campaign primarily targeted network edge devices, including TP-Link and MicroTik routers, before focusing on sensitive targets of intelligence interest to the Russian government.

The FBI, alongside federal prosecutors, the National Security Division’s National Security Cyber section, Lumen’s Black Lotus Labs, and Microsoft Threat Intelligence, led a collaborative takedown operation named Operation Masquerade. This involved issuing commands to reset DNS settings on compromised routers, effectively preventing further exploitation. The operation was conducted under court authorization, and it successfully hardened routers across the United States.

The impact of this campaign was widespread, affecting over 200 organizations and at least 5,000 consumer devices. Victims included government agencies and organizations within the IT, telecom, and energy sectors, as well as entities in Afghanistan, North Africa, Central America, and Southeast Asia. Although no U.S. government agencies were compromised, the activity posed a significant national security threat.

To mitigate future risks, organizations are advised to update their network devices regularly and ensure robust security measures are in place. Monitoring for indicators of compromise, as detailed by the U.K.’s National Cyber Security Centre, is also recommended to prevent similar attacks. The FBI and other agencies continue to investigate the full scope of the campaign to ensure the security of sensitive information.

Source: https://cyberscoop.com/forest-blizzard-apt28-routers-espionage-campaign-operation-masquerade/