Russian state-linked threat actor APT28 is exploiting vulnerable routers to manipulate Domain Name System (DNS) settings, enabling large-scale traffic redirection through attacker-controlled infrastructure, the U.K.’s National Cyber Security Centre warned. The activity supports adversary-in-the-middle (AitM) operations that allow attackers to intercept and potentially alter web and email traffic, exposing credentials such as passwords and authentication tokens and increasing the risk of broader network compromise.
The NCSC said the campaign begins opportunistically, scanning for exposed devices before refining its focus toward targets of intelligence value as the intrusion develops. By altering router configurations, including DNS and DHCP settings, APT28 can maintain persistent access to network traffic flows, creating a scalable mechanism for espionage, credential harvesting, and follow-on cyber operations.
“We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165,” the agency said in its Tuesday advisory. “APT28 (also known as Forest Blizzard, Fancy Bear, STRONTIUM, the Sednit Gang and Sofacy) is a highly skilled threat actor.”
The NCSC has previously attributed several high-profile operations to APT28, including cyber attacks against the German parliament in 2015 that involved data theft and the disruption of email accounts belonging to Members of Parliament and the Vice Chancellor. The agency also linked the group to an attempted attack against the Organisation for the Prohibition of Chemical Weapons in April 2018, aimed at disrupting independent analysis of chemical agent weaponised by Russia’s military intelligence service in the U.K.
The agency said that since 2024 and into 2026, APT28 has been configuring Virtual Private Servers (VPSs) to operate as malicious DNS servers. These VPSs typically receive high volumes of DNS requests originating from routers that had been exploited by the actor, likely utilizing public vulnerabilities.
Investigations into APT28 activity identified two banner pattern clusters containing multiple VPSs each. In the first cluster, the DHCP DNS server settings of compromised small office/home office (SOHO) routers were modified to include actor-owned IP addresses. These settings were subsequently inherited by downstream devices, for example, laptops and phones.
Lookups for domain names containing key terms associated with particular services, often email applications or login pages, would then be resolved by the malicious DNS servers to further actor-owned IP addresses. DNS requests not matching the actor’s targeting criteria would instead be resolved to the legitimate IP addresses for the requested services.
The actor would then attempt to conduct adversary-in-the-middle (AitM) attacks against follow-on connections with the likely aim of harvesting user account credentials.
NCSC detailed that one of the router models exploited by the APT28 hackers for their DNS poisoning operations was the TP-Link WR841N, likely using the CVE-2023-50224 vulnerability, which enables an unauthenticated attacker to obtain information such as password credentials through specially crafted HTTP GET requests. Having obtained the credentials for a router, the actor was then able to send a second specially crafted HTTP GET request to alter the DHCP DNS settings of that router.
The GET request would typically set the router’s primary DNS server to a malicious IP address, whilst also setting the secondary DNS server to the original primary DNS server’s IP address. On occasion, both the primary and secondary DNS server had been set to malicious IP addresses, indicating that a router had likely been exploited multiple times. Other TP-Link router models were also targeted by APT28 to enable their DNS hijacking operations.
The second cluster comprised a subset of servers that received DNS requests routed through likely compromised devices, including MikroTik and TP-Link routers. The DNS requests were forwarded from these servers to further remote actor-owned servers. This cluster of infrastructure was also involved in interactive operations against a small number of MikroTik routers, often located in Ukraine, that were likely of intelligence value to the actor.
The NCSC called upon organizations to reduce exposure to this activity by securing management interfaces and ensuring they are never exposed to the public internet, while adopting architectures that limit privileged access to critical assets. Maintaining up-to-date devices and networks remains essential, including the prompt application of security patches, use of supported software versions, and regular scanning for known malware threats. Modern systems with built-in security controls offer stronger resilience, and where legacy platforms cannot be immediately replaced, interim safeguards should be implemented to reduce risk.
Effective defense also depends on maintaining current operating systems and applications, alongside continuous security monitoring to capture and analyze indicators of compromise across the network.
It also calls for restricting execution through application allowlisting, which can help prevent unauthorized or malicious code from running, while host-based intrusion detection systems add another layer of visibility. The use of multi-factor authentication reduces the impact of credential theft, and organizations should reinforce a culture where employees are treated as a critical line of defense, with clear reporting mechanisms for suspicious activity and a response approach that prioritizes rapid investigation over user blame.
Last May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Encrypted Domain Name System (DNS) Implementation Guidance for federal civilian executive branch (FCEB) agencies to meet encryption requirements for DNS traffic and enhance the cybersecurity resilience of their IT networks. The guidance aligns with the Office of Management and Budget (OMB) Memorandum M-22-09 and the Zero Trust principles of the National Cybersecurity Strategy. It provides FCEB agencies with direction on implementing encrypted DNS protocols in line with M-22-09, emphasizing the advancement of the U.S. Government towards Zero Trust Cybersecurity Principles.
Back in April 2023, U.S. and U.K. security agencies published a joint Cybersecurity Advisory (CSA) report on the tactics, techniques, and procedures (TTPs) associated with APT28’s exploitation of Cisco routers. The agencies assess that the APT28 group exploits a known vulnerability to carry out reconnaissance of routers and deploy malware, while also accessing poorly maintained Cisco routers and deploying malware on unpatched devices using CVE-2017-6742.
