Skip to main content
Back to Research
Russia
DNS
APT28/Fancy Bear

Threat Intelligence Report: Russia, Router, DNS, and Messaging-Layer Collection Operations

Published on: 
June 16, 2026

Executive Summary

Russian intelligence-linked cyber operations continue to emphasize communications-layer collection over disruptive or destructive activity. Recent reporting from U.S. agencies, allied partners, and private researchers highlights two lines of effort. One is the compromise of vulnerable SOHO routers for DNS hijacking and adversary-in-the-middle collection. The other is phishing against secure and commercial messaging platforms. Together, these operations support long-term intelligence collection against government, defense, critical infrastructure, diplomatic, media, NGO, and Ukraine-related targets.

The goal is access. Quiet and lasting. By taking routers and bending DNS, Russian operators can watch traffic, steer chosen victims, and steal credentials without putting malware on the machine. Their work against Signal, WhatsApp, Telegram, and Microsoft 365 gives them the other half: messages, contacts, trusted names, and private conversations. Together, it lets them collect, map people, and stay close to the networks that matter.

Key Assessments

Russia is increasingly treating edge infrastructure and messaging platforms as persistent intelligence-collection terrain. Router compromise provides GRU-linked operators with a passive upstream vantage point over victim traffic, while messaging-account compromise provides visibility into human networks, operational discussions, authentication workflows, and trusted social relationships. Together, these operations support long-duration intelligence collection, access persistence, credential interception, social-graph mapping, and pre-positioning for future contingency operations.

The most significant router activity is attributed to the Russian GRU's Unit 26165, tracked as APT28/Fancy Bear. U.S. and allied agencies report ongoing exploitation of vulnerable routers and edge devices to manipulate DNS and DHCP settings, enabling adversary-in-the-middle collection and credential interception without requiring endpoint malware. The objective is persistent intelligence collection and access rather than immediate disruption.

Evolution of GRU Tradecraft: From Intrusion and Disruption to Communications-Layer Collection

Russian messaging targeting now reaches beyond Signal. It includes WhatsApp, Telegram, and Microsoft 365 OAuth flows. The goal is not just the account. It is the conversation, the contact list, the trusted name, and the path into the next victim.

GRU tradecraft has changed, but the aim has not. The old operations broke in, stole, leaked, and sometimes destroyed. The new operation is quieter. It compromises routers, bends DNS, abuses QR codes, linked devices, cloud logins, and OAuth prompts. It sits close to the traffic and the trust. It maps who talks to whom and keeps access to the communications layer itself.

Victimology

The victim set falls into two groups. The first set is broad; router and DNS campaigns reach across home routers, small offices, and edge devices in many regions. However, Russian actors do not exploit every victim the same way. They look for value in targets with the highest likelihood of a significant intelligence yield such as military, government, critical infrastructure, foreign ministry, law enforcement, telecom, and email providers.

The second group is more personal. The messaging campaigns go after people whose conversations matter for Russian intelligence collection, including Ukrainian military personnel, government officials, politicians, journalists and researchers, activists, NGO staff  and human-rights workers. Communications platforms like Signal, WhatsApp, Telegram, and Microsoft 365 then function as doors into contact lists, private conversations, trusted names, and the next victim.

Russian-linked targeting in 2026 focused on people and institutions with intelligence value. FBI/CISA reporting identified current and former government officials, military personnel, political figures, and journalists as high-value targets, while Volexity documented related activity against Ukraine-linked and human-rights organizations through Signal, WhatsApp, and Microsoft 365 OAuth compromise. Google reporting on defense-sector threats and Reuters coverage of Signal phishing against politicians, diplomats, military officers, and journalists reinforce the same pattern. The target set was strategic, not random.

Secondary exposure came through the tools those targets used every day. Microsoft reported Russian-linked compromise of home and small-office routers, DNS hijacking, and Outlook on the web targeting, while Lumen described broad router exploitation across more than 18,000 IPs in at least 120 countries. That scale gave operators a wide collection base. From there, they could sort victims by intelligence value and pursue the accounts, organizations, and communications channels that mattered most.

Router and DNS Hijacking Operations

In April 2026, the IC3 warned that Russian GRU actors were exploiting routers worldwide to steal military, government, and critical infrastructure data. The activity was tied to Unit 26165, also known as APT28, Fancy Bear, and Forest Blizzard. The actors changed DNS and DHCP settings, pushed victims through Russian-controlled resolvers, and used the access for quiet collection.

DOJ said the network relied on compromised SOHO routers, including thousands of TP-Link devices. The actors stole credentials, filtered DNS requests, and used false DNS records to stage adversary-in-the-middle attacks against services such as Outlook Web Access.

Microsoft assessed the campaign had run since at least August 2025, affecting more than 200 organizations and 5,000 consumer devices. The goal was not noise. It was persistent visibility.

Technical Tradecraft

The attack chain is simple and effective. The actors compromise routers, change DNS and DHCP settings, and push connected devices to use Russian-controlled resolvers. Most traffic can be watched quietly. Selected targets can be redirected.

The sharper risk is TLS interception. Forest Blizzard spoofed DNS responses for targeted domains, including Microsoft webmail. It then served bad certificates. If users clicked through the warning, the actor could read email and cloud traffic in plaintext.

The value is in the gap. Home routers, small-office routers, and remote-worker paths often sit outside enterprise EDR. The cloud account may be secure. The network edge may not be.

Messaging Application Targeting

Russian services are also targeting messaging accounts. FBI and CISA warned in March 2026 that Russian-linked actors had compromised thousands of commercial messaging accounts. Once inside, they could read messages, steal contacts, impersonate victims, and phish from trusted identities.

Google reported the same pressure against Signal. Actors abused the linked-device feature with malicious QR codes dressed as group invites, security alerts, pairing prompts, or Ukraine-themed apps. Once linked, the attacker could read future Signal messages in real time.

Microsoft saw Star Blizzard move into WhatsApp lures. Volexity saw suspected Russian actors use Signal and WhatsApp to push Microsoft 365 OAuth phishing. The pattern is clear. Russia is not only chasing accounts. It is chasing conversations, contacts, and trust.

Threat Level Assessment

The threat is highest for government, defense, critical infrastructure, telecom, energy, Ukraine-support organizations, journalists, NGOs, policy researchers, and other targets of likely intelligence value. These sectors align with Russian collection priorities and are most likely to face targeted exploitation after initial access.

Risk is also elevated for enterprises with remote or hybrid staff accessing Microsoft 365, webmail, VPN portals, cloud platforms, or sensitive collaboration tools from unmanaged home networks. For the broader private sector, the threat is moderate: router compromise may be broad, but follow-on exploitation appears selective and focused on victims with intelligence value.

Defensive Recommendations

Organizations should treat SOHO routers and remote-worker network paths as part of the attack surface. Replace end-of-life routers, patch firmware, disable remote administration, rotate router admin credentials, verify DNS settings, and monitor for unexpected resolvers. Remote-access policies should assume that home networks may be hostile.

For messaging applications, it is most important to prioritize linked-device hygiene. Users should regularly review linked devices in Signal, WhatsApp, and Telegram; remove unknown sessions; enable registration locks or PINs where available; and treat QR codes, group invites, “security alerts,” and video-call setup links as high-risk when received from sensitive contacts.

For enterprise identity, organizations should harden Microsoft 365 against OAuth and device-code phishing. Enforce phishing-resistant MFA, restrict risky OAuth consent flows, monitor anomalous device joins, review possible travel and token abuse, and train high-risk personnel not to return authentication codes to anyone.

Conclusion

Russian intelligence-linked cyber operations are moving closer to the communications layer. The objective is not immediate disruption. It is quiet access, persistent visibility, and control over the paths people use to communicate, authenticate, and coordinate.

The router and DNS hijacking activity shows the value of edge infrastructure. Compromised SOHO routers gave Russian operators a place to watch traffic, redirect selected victims, and intercept credentials without touching the endpoint. Messaging-platform targeting gave them the human layer: contacts, conversations, trusted names, and social relationships.

Together, these operations formed a durable intelligence-collection model. Broad compromise created scale. Selective follow-on targeting created value. Government, defense, critical infrastructure, Ukraine-support networks, journalists, NGOs, researchers, and political figures remained the highest-risk targets, while remote and hybrid workers widened the exposure path.

Now that this activity has been exposed, Russian operators will likely pivot again. They may shift infrastructure, rotate DNS and proxy methods, alter messaging lures, move to new linked-device abuse workflows, or lean harder into cloud identity and trusted-platform compromise. The collection requirement will remain. The access path will change.

The defensive lesson is direct. Organizations can no longer treat home routers, personal messaging apps, OAuth workflows, or linked-device features as outside the enterprise threat model. For Russian operators, these are not secondary surfaces. They are collection terrain. Once detected, that terrain will be reshaped, not abandoned.

Appendix A: MITRE ATT&CK Mapping

Initial Access/Persistence

Evasion and Credential Collection

Tactic Technique ID Observed Use
Initial Access Exploit Public-Facing Application T1190 Exploitation of vulnerable SOHO and TP-Link routers
Initial Access Phishing T1566 Messaging-app phishing and OAuth lure delivery
Initial Access Spearphishing Link T1566.002 Delivery of malicious OAuth/device-code URLs
Initial Access Valid Accounts T1078 Abuse of compromised messaging and cloud accounts
Execution User Execution T1204 Victim interaction with QR codes and phishing links
Persistence Account Manipulation T1098 Addition of linked devices to Signal accounts
Persistence External Remote Services T1133 Continued access through compromised cloud identities
Persistence Modify Authentication Process T1556 OAuth workflow abuse and session persistence
Privilege Escalation Abuse Elevation Control Mechanism T1548 Router administrative compromise and configuration manipulation
Defense Evasion Proxy T1090 DNS and AiTM proxy routing
Defense Evasion Impair Defenses T1562 Operating outside enterprise EDR visibility
Credential Access Adversary-in-the-Middle T1557 TLS interception and DNS redirection
Credential Access Steal or Forge Authentication Certificates T1649 Use of fraudulent/invalid TLS certificates
Credential Access Input Capture T1056 Credential interception via redirected authentication flows
Credential Access Credentials from Password Stores T1555 Interception of stored or synced credentials
Discovery Network Service Discovery T1046 Reconnaissance through DNS visibility
Discovery System Network Configuration Discovery T1016 Observation of network and resolver configurations
Discovery Gather Victim Identity Information T1589 Collection of contact lists and identity relationships
Discovery Gather Victim Network Information T1590 DNS and routing visibility collection
Collection Email Collection T1114 Interception of Outlook Web Access traffic
Collection Audio Capture T1123 Potential collection through compromised communication workflows
Collection Data from Information Repositories T1213 Access to cloud-hosted communications
Collection Screen Capture T1113 Potential follow-on account monitoring activities
Collection Data from Cloud Storage T1530 Microsoft 365 and cloud-message access
Command and Control Application Layer Protocol T1071 DNS- and HTTPS-based communications
Command and Control Encrypted Channel T1573 Use of TLS/HTTPS transport
Command and Control Dynamic Resolution T1568 Actor-controlled DNS infrastructure
Exfiltration Exfiltration Over Web Service T1567 Cloud-account data access and exfiltration
Impact Network Denial of Service T1498 Potential latent capability through router control
Impact Hijack Execution Flow T1574 DNS response manipulation and traffic redirection

Related Content

Research
Threat Intelligence Report: ZionSiphon OT Malware First Attempts? Psyops? Both?

Analysis of ZionSiphon (SCADA_SecurityPatch_v8.4.exe), a .NET OT malware targeting Israeli water utilities. Discover its IOCs, targets, and flawed activation code.

Learn More
Research
Threat Intelligence Report: The SDA / Structura / Doppelgänger, Influence Operations, Infrastructure, Reach, and Potential

How does the Doppelgänger influence campaign reach 5M+ users? Read DTI’s latest report on the SDA/Structura ecosystem, featuring a deep dive into narrative propagation, domain rotation tactics, and a 72-hour crisis influence timeline.

Learn More
Research
MOIS Linked MOIST GRASSHOPPER / Homeland Justice / KarmaBelow80 / Handala Hackers / Campaigns and Evolution

Explore the evolution of MOIS-linked actors Homeland Justice, Karma, and Handala. Analysis of destructive malware, surveillance integration, and the 2026 Stryker incident.

Learn More

Heading

SecuritySnacks
Research
Newsletters
Podcast Episodes
About
No items found.