The Russian state cyber group APT28 has been compromising routers to hijack web traffic and spy on victims, the UK’s The National Cyber Security Centre (NCSC) has warned.
Attackers are exploiting vulnerable routers to alter DHCP and DNS settings, redirecting traffic through servers they control.
“We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165.” said NCSC.
Since 2024, APT28 has configured Virtual Private Servers (VPSs) to operate as malicious DNS infrastructure, receiving large volumes of requests from routers compromised through publicly known vulnerabilities. Investigators identified two clusters of this activity, each involving multiple servers.
“The DHCP DNS server settings of compromised small office/home office (SOHO) routers were modified to include actor-owned IP addresses. These settings were subsequently inherited by downstream devices, for example laptops and phones,” investigators wrote.
“Lookups for domain names containing key terms associated with particular services, often email applications or login pages, would then be resolved by the malicious DNS servers to further actor-owned IP addresses. DNS requests not matching the actor’s targeting criteria would instead be resolved to the legitimate IP addresses for the requested services,” they added.
This setup enabled adversary-in-the-middle activity, allowing attackers to intercept browser sessions and desktop applications and collect authentication data, including passwords and authentication tokens.
One of the router models exploited was the TP-Link WR841N, likely using CVE-2023-50224. The vulnerability allowed unauthenticated access to sensitive information through crafted requests, including credential data. After gaining access, attackers modified DHCP and DNS settings on the device to control how traffic was routed.
These changes typically replaced the primary DNS server with a malicious address while leaving the secondary server unchanged, though in some cases both entries were altered, suggesting repeated compromise.
A second cluster involved infrastructure receiving DNS requests from compromised devices, including MikroTik and TP-Link routers, and forwarding those requests to additional attacker-controlled systems. Some of this activity included operations against a small number of routers located in Ukraine.
Officials note the activity is likely opportunistic, with attackers casting a wide net before narrowing their focus to selected targets.
The NCSC issued a technical advisory on the tactics, techniques and procedures associated with APT28’s exploitation of routers to enable DNS hijacking operations.
“This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice,” said Paul Chichester, NCSC Director of Operations.
