APT28 Hijacks Home Routers to Steal Corporate Credentials

In a major technical disclosure, the UK National Cyber Security Centre (NCSC) has detailed a sophisticated campaign by the Russian threat actor APT28 (also known as Fancy Bear or Forest Blizzard). The group is currently exploiting consumer-grade routers to orchestrate large-scale DNS hijacking operations, effectively creating a “digital funnel” that traps passwords and OAuth tokens from unsuspecting users.

The core of the strategy involves overwriting a router’s Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. By forcing a compromised router to use an attacker-controlled DNS server, APT28 can silently redirect a user’s web traffic to malicious clones of legitimate sites.

As the NCSC report warns:

“Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web and email related services”.

This puts organizations at extreme risk, as the hijacking happens at the network level, often before a user even reaches their intended destination.

While APT28 is a highly skilled unit of the Russian GRU, this specific campaign is noted for its “opportunistic” nature. The actors are not necessarily targeting specific individuals from the start; instead, they cast a wide net across the public internet.

The report explains the filtering process:

“The DNS hijacking operations are believed to be opportunistic in nature, with the actor targeting a wide pool of victims and then likely filtering down for users of potential intelligence value at each stage of the exploitation chain”.

One of the primary targets for these operations is the TP-Link WR841N router. Attackers leverage vulnerabilities like CVE-2023-50224, which allows an unauthenticated user to steal password credentials through “specially crafted HTTP GET requests”.

Once they have the keys to the router, the second phase of the attack begins:

• Configuration Injection: The actor sends a second GET request to alter the DHCP DNS settings.
• DNS Poisoning: The primary DNS is set to a malicious IP, while the secondary DNS is set to the original primary IP to maintain a facade of normalcy.
• Multiple Exploitation: In some cases, researchers found both DNS entries set to malicious addresses, “indicating that a router had likely been exploited multiple times”.

While the campaign is global, the NCSC identified a specific cluster of infrastructure involved in “interactive operations” against MikroTik routers. These targets were frequently located in Ukraine, suggesting the hijacking operations are being used to support broader military or geopolitical intelligence gathering.

The NCSC’s disclosure serves as a stark reminder that the “edge” of a corporate network often starts at an employee’s home router. To mitigate these risks, the agency recommends several critical steps:

• Firmware Management: Ensure all routers, especially TP-Link and MikroTik models, are running the latest security patches to close known vulnerabilities like CVE-2023-50224.
• Credential Hygiene: Change default administrative passwords on all networking equipment immediately upon deployment.
• Monitor DNS Traffic: Organizations should monitor for unusual DNS resolution patterns or connections to known malicious IP addresses associated with APT28 infrastructure.