Russian Hackers Hijack Routers to Steal Data
▼ Summary
– APT28, a Russian hacking group linked to Russian military intelligence, is exploiting vulnerable internet routers to hijack traffic and steal credentials.
– The group uses compromised virtual private servers (VPS) as malicious DNS servers to redirect and intercept data from targeted organizations.
– One campaign specifically targets TP-Link routers, exploiting a known vulnerability to change their DNS settings and affect all connected devices.
– The hackers then perform adversary-in-the-middle attacks to harvest passwords and authentication tokens from user sessions.
– This initial DNS hijacking is opportunistic, allowing the group to filter a large pool of candidates for high-value intelligence targets.
A Russian state-sponsored hacking group has been conducting widespread campaigns to hijack internet routers, redirecting traffic to steal sensitive credentials from targeted organizations. The UK’s National Cyber Security Centre issued a new advisory detailing these activities, which it attributes to the group known as APT28. The agency detected two distinct malicious operations linked to a set of virtual private servers that the hackers have modified since 2024 to function as rogue domain name system servers.
These compromised VPSs receive enormous volumes of DNS requests originating from routers that APT28 has exploited, likely by leveraging known public vulnerabilities. The NCSC assesses that the initial DNS hijacking is opportunistic, allowing the hackers to first gain visibility into a broad pool of potential targets. They then systematically filter users at each stage of the attack chain to identify high-value victims for intelligence collection. The UK government states APT28 is almost certainly operated by Russian military intelligence, specifically the GRU’s 85th Main Special Service Centre. The group is also widely tracked under aliases like Fancy Bear, Forest Blizzard, and Strontium.
In a related report, Microsoft Threat Intelligence confirmed that APT28, along with a sub-group tracked as Storm-2754, began compromising VPS servers to target small office/home office routers at least as early as August 2025.
The first major activity cluster identified by the NCSC involves the compromise of SOHO routers, predominantly TP-Link models. In these attacks, the hackers modified the routers’ dynamic host configuration protocol DNS settings to include IP addresses they control. One specific model, the TP-Link WR841N, was likely breached using a known vulnerability designated CVE-2023-50224. This flaw allows an unauthenticated attacker to obtain information like password credentials through specially crafted requests.
Once a router is compromised, the malicious DNS settings are inherited by all downstream devices connecting to it, such as laptops and smartphones. This forces traffic matching APT28’s targeting criteria to be resolved by the attackers’ rogue DNS servers. The group then uses this position to launch adversary-in-the-middle attacks against subsequent connections, including web browser sessions and desktop applications. The primary goal is to harvest passwords, OAuth tokens, and other credentials for web and email services. The NCSC warns that subsequent malicious logins using this stolen data may originate from infrastructure not listed in its current advisory.
(Source: Infosecurity Magazine)
