APT28, also known as Fancy Bear or Strontium, is a highly sophisticated cyber espionage group linked to Russia's GRU military intelligence agency. They are known for targeting government, military, and political organizations worldwide to gather strategic intelligence.

What is DNS hijacking?

DNS hijacking is an attack where a threat actor alters a device's Domain Name System (DNS) settings. This forces web traffic to be redirected to malicious servers, often leading users to fake websites designed to steal credentials or distribute malware, even when they type the correct web address.

How can I check if my router's DNS settings have been changed?

Log into your router's administration panel (usually by typing an IP address like 192.168.1.1 into your browser). Look for DNS settings under 'WAN' or 'Internet' settings. Compare the listed DNS server IPs to those provided by your ISP or a trusted public DNS provider (like Google's 8.8.8.8). If they point to unfamiliar IP addresses, your router may be compromised.

Will multi-factor authentication (MFA) protect me from this attack?

MFA provides a strong layer of defense. While attackers might steal your username and password from a phishing page, they would still need your second factor (e.g., a code from your phone) to access your account. However, sophisticated attackers can create phishing pages that also ask for the MFA code in real-time, so it is not foolproof but remains a critical security measure.

Russian APT28 hackers hijack routers to steal credentials, UK security agency warns

Introduction: A Familiar Threat with a New Vector

A joint advisory from the UK’s National Cyber Security Centre (NCSC) and its international partners has detailed a sustained campaign by the Russian state-sponsored group APT28 to compromise network edge devices, primarily small office/home office (SOHO) routers. The campaign, active since at least mid-2023, employs DNS hijacking to redirect users to malicious servers for the purpose of harvesting login credentials from a wide range of high-value targets.

The operation highlights a tactical evolution for APT28, also known as Fancy Bear or Strontium, leveraging the often-insecure nature of consumer-grade network hardware to establish a persistent foothold for intelligence gathering. This analysis breaks down the technical specifics of the attack, its potential impact, and the steps organizations and individuals must take to defend against it.

Background: APT28's Persistent Espionage Mission

APT28 is one of the most well-documented and prolific state-sponsored cyber espionage groups, widely attributed to Russia's GRU military intelligence agency. Their operational history is marked by high-profile intrusions aimed at gathering political, military, and strategic intelligence. The group was famously implicated in the 2016 hack of the Democratic National Committee (DNC) and has a long record of targeting governments, defense contractors, media organizations, and critical infrastructure across Europe and North America (NCSC, 2024).

While often associated with sophisticated spear-phishing campaigns and zero-day exploits, this latest activity demonstrates their pragmatic approach: exploiting the path of least resistance. SOHO routers represent an ideal target. They are ubiquitous, frequently operate with default credentials or unpatched firmware, and are rarely monitored by security teams, making them a soft underbelly for corporate and personal networks.

Technical Details: How the DNS Hijacking Works

The attack chain documented by the NCSC, FBI, CISA, and NSA follows a clear, multi-stage process designed for stealth and effectiveness. The core of the operation is not malware deployed on victim computers, but the manipulation of fundamental internet infrastructure.

1. Initial Router Compromise

The advisory does not specify the exact methods used for initial access in every case, but common vectors for SOHO router compromise include:

Brute-forcing credentials: Many routers are still configured with default administrator usernames and passwords (e.g., admin/admin, admin/password) or use weak, easily guessable credentials. APT28 can systematically scan for and exploit these devices.
Exploiting known vulnerabilities: Router firmware is notoriously slow to be updated by end-users. APT28 can leverage publicly known, unpatched vulnerabilities (N-day exploits) to gain administrative control over these devices at scale.

2. Malicious DNS Reconfiguration

Once an attacker gains administrative access to a router, the main payload is delivered. The Domain Name System (DNS) is the internet's phonebook, translating human-readable domain names (like newsnukem.com) into machine-readable IP addresses. By controlling DNS, an attacker controls where a user's traffic goes.

APT28 modifies the router's DNS server settings. Instead of using the legitimate DNS servers provided by the user's Internet Service Provider (ISP) or a public service like Google (8.8.8.8), the router is configured to send all DNS queries to servers under APT28's control. According to the advisory, these malicious DNS resolvers are often hosted on compromised virtual private servers (VPS), giving the attackers operational flexibility and a degree of anonymity.

3. Credential Harvesting via Phishing

With the DNS redirection in place, any device connected to the compromised router becomes a potential victim. The process unfolds as follows:

A user on the network attempts to navigate to a legitimate website, such as a corporate email portal, cloud service, or financial institution.
The DNS query is sent to APT28's malicious server.
Instead of returning the legitimate IP address for the requested service, the malicious server returns the IP address of a phishing server controlled by the attackers.
The user's browser connects to this phishing server, which presents a pixel-perfect replica of the legitimate login page. Because the domain name in the address bar appears correct, and the site may even have a valid TLS certificate (often obtained for free from services like Let's Encrypt), many users will not notice the deception.
The unsuspecting user enters their username, password, and potentially even multi-factor authentication (MFA) codes into the fake page. These credentials are sent directly to APT28.

After harvesting the credentials, the attackers might redirect the user to the real website to reduce suspicion or simply display an error message.

Impact Assessment: A Broad and Insidious Threat

The primary targets of this campaign are organizations of strategic interest to the Russian state, including government agencies, military bodies, and critical infrastructure sectors. The impact of a successful credential theft can be severe:

Espionage and Data Exfiltration: Stolen credentials provide a direct path into sensitive networks, email accounts, and cloud storage, enabling long-term intelligence gathering.
Initial Access for Further Attacks: Gaining a foothold through a valid account is often the first step in a more complex attack chain, which could later involve deploying ransomware or destructive malware.
Supply Chain Risk: If credentials for a defense contractor or software provider are compromised, APT28 could pivot from that network to attack its partners and customers.

While the focus is on organizational targets, individuals are directly affected. Remote workers connecting to corporate networks through a compromised home router put their employers at significant risk. Furthermore, any personal credentials—for banking, email, or social media—entered while connected to the compromised network are also vulnerable to theft.

How to Protect Yourself

Defense against this threat requires a layered approach focusing on securing the network edge and implementing strong authentication practices. Both organizations and individuals have a role to play.

For Organizations and IT Administrators:

Enforce MFA Everywhere: Multi-factor authentication is the single most effective defense against credential theft. Even if APT28 captures a password, they will be unable to access the account without the second factor. Prioritize phishing-resistant MFA methods like FIDO2 security keys.
Monitor DNS Traffic: Monitor outbound DNS queries for requests to known malicious domains and IP addresses provided in threat intelligence reports like the NCSC advisory. Consider using a protective DNS service that blocks connections to malicious sites.
Educate Remote Workers: Provide clear guidance to employees on securing their home routers, including changing default passwords and updating firmware. Mandate the use of a corporate VPN service for all work-related activities, as this will typically force traffic through the corporate network's secure DNS servers, bypassing a compromised router's settings.
Implement Zero Trust Principles: Assume that no user or device is inherently trustworthy. Require explicit verification for every access request, regardless of whether it originates from inside or outside the network perimeter.

For Individuals and Home Office Users:

Secure Your Router Immediately: Access your router's administration panel (instructions are usually on the device or in its manual). Change the default administrator password to a long, unique, and complex one.
Update Your Router's Firmware: Check your router manufacturer's website for the latest firmware version and install it. This patches known security vulnerabilities that attackers exploit. Enable automatic updates if the feature is available.
Check Your DNS Settings: In your router's settings, verify that the DNS servers are set to your ISP's defaults or a trusted public provider (e.g., 1.1.1.1, 8.8.8.8). If you see unfamiliar IP addresses, change them back and assume your router was compromised.
Use MFA on All Important Accounts: Enable MFA for your email, banking, and social media accounts. This is your best defense if your credentials are ever stolen.

This campaign is a stark reminder that national security can depend on the integrity of devices in our living rooms. APT28's willingness to exploit common weaknesses in consumer hardware demonstrates that in cybersecurity, the front line is everywhere.