APT28 exploit routers to enable DNS hijacking operations

Summary

Russian state-sponsored threat actor APT28 has been exploiting vulnerable routers, particularly TP-Link models, to modify DHCP/DNS settings and redirect traffic through attacker-controlled DNS servers. This enables adversary-in-the-middle attacks to harvest user passwords, OAuth tokens, and other credentials for web and email services. The NCSC assesses the DNS hijacking operations as opportunistic, targeting a broad pool of victims and filtering for high-value intelligence targets.

Full text

News Download & print article PDF Download & print article PDF APT28 exploit routers to enable DNS hijacking operationsRussian cyber actor APT28 exploit vulnerable routers to hijack DNS, enabling adversary‑in‑the‑middle attacks and theft of passwords and authentication tokens. On this pageExecutive summaryIntroductionAPT28 malicious DNS activityIndicators of compromiseMITRE ATT&CK®Mitigation Executive summaryRussian cyber actors APT28 have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web and email related services. This puts organisations at risk of credential theft, data manipulation and broader compromise.The DNS hijacking operations are believed to be opportunistic in nature, with the actor targeting a wide pool of victims and then likely filtering down for users of potential intelligence value at each stage of the exploitation chain. IntroductionThe UK National Cyber Security Centre (NCSC) is providing details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of routers to enable DNS hijacking operations. Show All What is a DNS protocol? Show The DNS protocol resolves human-readable domain names, for example ncsc.gov.uk, to their associated IP addresses, for example 1.2.3[.]4, through a process called DNS resolution. What is DNS hijacking? Show DNS hijacking (also known as DNS poisoning or DNS redirection) is a cyber attack where DNS records or responses are manipulated in order to redirect clients to malicious infrastructure that hosts services such as phishing websites or software that attempts to steal user credentials.We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Forest Blizzard, Fancy Bear, STRONTIUM, the Sednit Gang and Sofacy) is a highly skilled threat actor.The NCSC has previously attributed the following activity to APT28:Cyber attacks against the German parliament in 2015, including data theft and disrupting email accounts of German Members of Parliament (MPs) and the Vice ChancellorAn attempted attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponised by the GRU in the UKFor more information on APT28 activity, see the advisories ‘Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure’, ‘APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on cisco routers’ and ‘UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations’. APT28 malicious DNS activitySince 2024 and into 2026, APT28 has been configuring Virtual Private Servers (VPSs) to operate as malicious DNS servers [T1583.002, T1583.003]. These VPSs typically receive high volumes of DNS requests originating from routers that had been exploited by the actor likely utilising public vulnerabilities [T1584.008, T1588.006]. Investigations into this activity identified the following two banner pattern clusters containing multiple VPSs each. Cluster oneThe DHCP DNS server settings of compromised small office/home office (SOHO) routers were modified to include actor-owned IP addresses. These settings were subsequently inherited by downstream devices, for example laptops and phones.Lookups for domain names containing key terms associated with particular services, often email applications or login pages, would then be resolved by the malicious DNS servers to further actor-owned IP addresses. DNS requests not matching the actor’s targeting criteria would instead be resolved to the legitimate IP addresses for the requested services.The actor would then attempt to conduct adversary-in-the-middle (AitM) attacks against follow-on connections with the likely aim of harvesting user account credentials [T1557, T1586]. What is an adversary-in-the-middle (AitM) attack? Show An AitM attack occurs when an attacker inserts itself into the middle of a communication between two parties, enabling the attacker to read and potentially change the content of that communication.The AitM activity could be conducted against both user browser sessions and desktop applications. Harvested authentication material could include both passwords and OAuth or similar authentication tokens. Subsequent malicious logins using this stolen data may originate from further infrastructure not listed in this advisory.It is believed that the DNS hijacking operations are opportunistic in nature, with the actor gaining visibility of a large pool of candidate target users then filtering down users at each stage in the exploitation chain to triage for victims of likely intelligence value.TP-Link router exploitationOne of the router models that APT28 exploited for their DNS poisoning operations was the TP-Link WR841N, likely using CVE-2023-50224 [T1584.008, T1588.006]. This vulnerability enables an unauthenticated attacker to obtain information such as password credentials via specially crafted HTTP GET requests.Having obtained the credentials for a router, the actor was then able to send a second specially crafted HTTP GET request to alter the DHCP DNS settings of that router.The GET request would typically set the router’s primary DNS server to a malicious IP address, whilst also setting the secondary DNS server to the original primary DNS server’s IP address. On occasion both the primary and secondary DNS server had been set to malicious IP addresses, indicating that a router had likely been exploited multiple times.Other TP-Link router models were also targeted by APT28 to enable their DNS hijacking operations. A list can be found in the Indicators of Compromise section. Cluster twoA subset of servers in this cluster received DNS requests via likely compromised devices including models of MikroTik and TP-Link routers. The DNS requests were forwarded from these servers to further remote actor-owned servers.This cluster of infrastructure was also involved in interactive operations against a small number of MikroTik routers, often located in Ukraine, that were likely of intelligence value to the actor. Indicators of compromiseKnown malicious and targeted infrastructure is listed below. Specific selectors are liable to change and it is therefore recommended that holistic tradecraft is used to detect DNS hijacking and AitM activity.VPS bannersBannersBanner pattern 1SSH on TCP port 56777"dnsmasq-2.85" on UDP port 53Banner pattern 2SSH on TCP port 35681"dnsmasq-2.85" on UDP port 53For banner pattern 2, the DNS software was only present on some servers.TP-Link router models exploited by APT28The following is a list of TP-Link router models targeted by APT28. It is likely that this list is not exhaustive.Router modelTP-LINK LTE WIRELESS N ROUTER MR6400TP-LINK WIRELESS DUAL BAND GIGABIT ROUTER ARCHER C5TP-LINK WIRELESS DUAL BAND GIGABIT ROUTER ARCHER C7TP-LINK WIRELESS DUAL BAND GIGABIT ROUTER WDR3600TP-LINK WIRELESS DUAL BAND GIGABIT ROUTER WDR4300TP-LINK WIRELESS DUAL BAND ROUTER WDR3500TP-LINK WIRELESS LITE N ROUTER WR740NTP-LINK WIRELESS LITE N ROUTER WR740N/WR741NDTP-LINK WIRELESS LITE N ROUTER WR749NTP-LINK WIRELESS N 3G/4G ROUTER MR3420TP-LINK WIRELESS N ACCESS POINT WA801NDTP-LINK WIRELESS N ACCESS POINT WA901NDTP-LINK WIRELESS N GIGABIT ROUTER WR1043NDTP-LINK WIRELESS N GIGABIT ROUTER WR1045NDTP-LINK WIRELESS N ROUTER WR840NTP-LINK WIRELESS N ROUTER WR841HPTP-LINK WIRELESS N ROUTER WR841NTP-LINK WIRELESS N ROUTER WR841N/WR841NDTP-LINK WIRELESS N ROUTER WR842NTP-LINK WIRELESS N ROUTER WR842NDTP-LINK WIRELESS N ROUTER WR845NTP-LINK WIRELESS N ROUTER WR941NDTP-LINK WIRELESS N ROUTER WR945NTargeted

Indicators of Compromise

• cve — CVE-2023-50224
• mitre_attack — T1583.002
• mitre_attack — T1583.003
• mitre_attack — T1584.008
• mitre_attack — T1588.006
• mitre_attack — T1557
• mitre_attack — T1586

Entities