APT28 Exploits SOHO Routers for DNS Hijacking Operations, NCSC Warns
The UK's NCSC has revealed that Russian state-sponsored APT28 has been exploiting small office/home office routers since 2024 to hijack DNS settings and conduct adversary-in-the-middle attacks targeting credentials for web and email services.
The UK National Cyber Security Centre (NCSC) has published a detailed advisory warning that Russian state-sponsored threat actor APT28 (also known as Fancy Bear, Strontium) has been systematically exploiting small office/home office (SOHO) routers to conduct DNS hijacking operations since at least 2024. The campaign, which remains active into 2026, targets a wide pool of victims opportunistically, filtering down to users of potential intelligence value.
According to the NCSC, APT28 has been configuring Virtual Private Servers (VPSs) to operate as malicious DNS servers. The attackers first compromise SOHO routers—primarily TP-Link and MikroTik models—using public vulnerabilities. One confirmed exploit is CVE-2023-50224, a vulnerability in the TP-Link WR841N that allows an unauthenticated attacker to obtain router credentials via specially crafted HTTP GET requests. Once credentials are obtained, the actor sends a second HTTP GET request to overwrite the router's DHCP DNS settings, pointing downstream devices to actor-controlled DNS servers.
The malicious DNS servers are configured to selectively resolve lookups for domain names containing key terms associated with email applications and login pages—such as Outlook and other webmail services—to actor-owned IP addresses. All other DNS requests are resolved legitimately, making the attack difficult for users to detect. When a victim's device connects to a spoofed login page, APT28 conducts adversary-in-the-middle (AitM) attacks to harvest passwords, OAuth tokens, and other authentication material from both browser sessions and desktop applications.
The NCSC identified two distinct clusters of malicious infrastructure. Cluster one involves compromised SOHO routers whose DHCP DNS settings were modified to include actor-owned IP addresses. Cluster two includes servers that received DNS requests via compromised MikroTik and TP-Link routers, with some servers involved in interactive operations against a small number of MikroTik routers located in Ukraine—suggesting targeted espionage against high-value intelligence targets.
The advisory lists over 20 TP-Link router models targeted by APT28, including the Archer C5, Archer C7, WR841N, WR941ND, and various MR-series LTE routers. The NCSC notes that the list is likely not exhaustive. Indicators of compromise include VPS banners showing SSH on TCP port 56777 or 35681, and DNS software "dnsmasq-2.85" on UDP port 53. Targeted domains include autodiscover-s.outlook[.]com, imap-mail.outlook[.]com, and outlook.live[.]com, among others.
This campaign represents a significant evolution in APT28's tradecraft, moving from direct phishing and credential theft to a more sophisticated infrastructure-level attack that compromises network devices at the perimeter. By hijacking DNS resolution at the router level, the attackers gain persistent access to all traffic flowing through the network, enabling large-scale credential harvesting with minimal user interaction. The NCSC urges organizations to ensure SOHO routers are patched, change default credentials, monitor for unauthorized DNS changes, and consider using encrypted DNS protocols such as DNS-over-HTTPS or DNS-over-TLS to mitigate the risk of DNS hijacking.