APT28 exploit routers to enable DNS hijacking operations

Summary

Russian state-linked actor APT28 has been exploiting internet-facing routers to overwrite DHCP/DNS settings so that downstream devices use attacker-controlled DNS servers. The malicious DNS servers selectively resolve targeted domain names (often email and login endpoints) to actor-owned infrastructure while resolving other names correctly. This enables adversary-in-the-middle (AitM) activity that has been used to harvest passwords, OAuth tokens and other credentials, placing organisations and users at risk of unauthorised access, data theft and wider compromise.

The activity is broadly opportunistic: APT28 compromises a large set of routers (notably many TP-Link and some MikroTik models), funnels DNS traffic to VPS-hosted malicious resolvers, then filters and escalates to high-value targets for interactive AitM operations.

Key Points

APT28 overwrites DHCP/DNS settings on compromised SOHO and enterprise-edge routers to redirect clients to attacker-controlled DNS servers.
Malicious DNS resolvers selectively redirect lookups for service/login domains (eg. Outlook/Office endpoints) to enable AitM credential harvesting.
Actor infrastructure is hosted on VPSs showing two banner patterns (dnsmasq on specific SSH/TCP ports) and multiple IP clusters — indicators of compromise are published in the advisory.
Multiple TP-Link router models (including WR841N and many WR/WRD/ARCHER series) and some MikroTik devices were targeted, often via known public vulnerabilities (eg. CVE‑2023‑50224 for TP‑Link WR841N).
Mitigations: protect management interfaces (never expose them), patch/update devices, enable MFA/2FA, deploy monitoring and host IDS, use allowlisting, and apply device security best practice.

Context and relevance

This advisory adds to a steady stream of state‑linked campaigns that weaponise poorly secured edge devices. Because routers are a single point of failure for DHCP/DNS distribution, compromise allows attackers to conduct wide-scale, low‑visibility interception without initial endpoint malware. The techniques map cleanly to MITRE ATT&CK (Initial Access via public‑facing exploit, Resource Development using VPS/DNS servers, and Credential Access via AitM), so organisations should treat exposed or end‑of‑life network gear as a high priority when planning defensive actions.

Why should I read this

Look, if you run networks or manage kit — this one matters. APT28 isn’t just phishing; they’re quietly changing router settings and routing your users to fake services to nick passwords and tokens. Read the short bit here to know which models are named, what the attacker infra looks like, and what immediate steps to take so you don’t become the next victim.

Author style

Punchy: this is must‑read intel for cyber teams and network ops. The guidance is practical — patch, lock down management interfaces, monitor DNS, enable MFA — and following it reduces immediate risk from a capable, opportunistic actor.