APT28 exploit routers to enable DNS hijacking operations

8 Apr 2026 09:09 AM

Russian cyber actor APT28 exploit vulnerable routers to hijack DNS, enabling adversary‑in‑the‑middle attacks and theft of passwords and authentication tokens.

Executive summary

Russian cyber actors APT28 have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web and email related services. This puts organisations at risk of credential theft, data manipulation and broader compromise.

The DNS hijacking operations are believed to be opportunistic in nature, with the actor targeting a wide pool of victims and then likely filtering down for users of potential intelligence value at each stage of the exploitation chain.

Introduction

The UK National Cyber Security Centre (NCSC) is providing details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of routers to enable DNS hijacking operations.

Show All

What is a DNS protocol?

Show

What is DNS hijacking?

Show

We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Forest Blizzard, Fancy Bear, STRONTIUM, the Sednit Gang and Sofacy) is a highly skilled threat actor.

The NCSC has previously attributed the following activity to APT28:

Cyber attacks against the German parliament in 2015, including data theft and disrupting email accounts of German Members of Parliament (MPs) and the Vice Chancellor
An attempted attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponised by the GRU in the UK

For more information on APT28 activity, see the advisories ‘Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure’, ‘APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on cisco routers’ and ‘UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations’.

APT28 malicious DNS activity

Since 2024 and into 2026, APT28 has been configuring Virtual Private Servers (VPSs) to operate as malicious DNS servers T1583.002, T1583.003. These VPSs typically receive high volumes of DNS requests originating from routers that had been exploited by the actor likely utilising public vulnerabilities T1584.008, T1588.006. Investigations into this activity identified the following two banner pattern clusters containing multiple VPSs each.

Cluster one

The DHCP DNS server settings of compromised small office/home office (SOHO) routers were modified to include actor-owned IP addresses. These settings were subsequently inherited by downstream devices, for example laptops and phones.

Lookups for domain names containing key terms associated with particular services, often email applications or login pages, would then be resolved by the malicious DNS servers to further actor-owned IP addresses. DNS requests not matching the actor’s targeting criteria would instead be resolved to the legitimate IP addresses for the requested services.

The actor would then attempt to conduct adversary-in-the-middle (AitM) attacks against follow-on connections with the likely aim of harvesting user account credentials T1557, T1586.

What is an adversary-in-the-middle (AitM) attack?

Show

The AitM activity could be conducted against both user browser sessions and desktop applications. Harvested authentication material could include both passwords and OAuth or similar authentication tokens. Subsequent malicious logins using this stolen data may originate from further infrastructure not listed in this advisory.

It is believed that the DNS hijacking operations are opportunistic in nature, with the actor gaining visibility of a large pool of candidate target users then filtering down users at each stage in the exploitation chain to triage for victims of likely intelligence value.

TP-Link router exploitation

One of the router models that APT28 exploited for their DNS poisoning operations was the TP-Link WR841N, likely using CVE-2023-50224 T1584.008, T1588.006. This vulnerability enables an unauthenticated attacker to obtain information such as password credentials via specially crafted HTTP GET requests.

Having obtained the credentials for a router, the actor was then able to send a second specially crafted HTTP GET request to alter the DHCP DNS settings of that router.

The GET request would typically set the router’s primary DNS server to a malicious IP address, whilst also setting the secondary DNS server to the original primary DNS server’s IP address. On occasion both the primary and secondary DNS server had been set to malicious IP addresses, indicating that a router had likely been exploited multiple times.

Other TP-Link router models were also targeted by APT28 to enable their DNS hijacking operations. A list can be found in the Indicators of Compromise section.

Cluster two

A subset of servers in this cluster received DNS requests via likely compromised devices including models of MikroTik and TP-Link routers. The DNS requests were forwarded from these servers to further remote actor-owned servers.

This cluster of infrastructure was also involved in interactive operations against a small number of MikroTik routers, often located in Ukraine, that were likely of intelligence value to the actor.

Indicators of compromise

Known malicious and targeted infrastructure is listed below. Specific selectors are liable to change and it is therefore recommended that holistic tradecraft is used to detect DNS hijacking and AitM activity.

Full Article