Russian APT28 Hackers Hijack Routers to Steal Credentials, UK Security Agency Warns
UK NCSC warns that Russian APT28 (Fancy Bear) is exploiting vulnerable SOHO routers to hijack DNS settings and steal credentials via adversary-in-the-middle attacks.
The UK's National Cyber Security Centre (NCSC) has issued a new advisory warning that Russian state-sponsored hacking group APT28 (also known as Fancy Bear) is actively exploiting vulnerable small office/home office (SOHO) routers to conduct credential theft campaigns. The advisory, published on April 7, details two distinct clusters of malicious activity targeting organizations of intelligence value, with a particular focus on Ukraine.
In the first cluster, APT28 exploits vulnerable TP-Link routers, primarily the WR841N model, using CVE-2023-50224—a vulnerability that allows unauthenticated attackers to obtain password credentials via specially crafted HTTP GET requests. The attackers modify the DHCP DNS settings of compromised routers to point to attacker-controlled DNS servers. These settings are then inherited by downstream devices such as laptops and phones, redirecting traffic to malicious servers.
Once traffic is redirected, APT28 performs adversary-in-the-middle (AitM) attacks against browser sessions and desktop applications to harvest passwords, OAuth tokens, and other credentials for web and email services. The NCSC notes that subsequent malicious logins using stolen data may originate from infrastructure not listed in the advisory, indicating a broader operational footprint.
The second cluster targets MikroTik and TP-Link routers, with DNS requests forwarded from compromised devices to further remote actor-owned servers. This infrastructure was also used in interactive operations against a small number of MikroTik routers in Ukraine, suggesting targeted espionage. Microsoft Threat Intelligence corroborates the findings, stating that APT28 and its sub-group Storm-2754 have been compromising VPS servers since at least August 2025 to facilitate these router-based attacks.
The NCSC assesses that the initial DNS hijacking operations are opportunistic, allowing APT28 to gain visibility into a large pool of candidates before filtering down to victims of likely intelligence value. The group is attributed to the Russian GRU's 85th Main Special Service Centre (GTsSS), Military Unit 26165.
TP-Link responded to the advisory, noting that the referenced devices reached end-of-service-and-life (EOSL) status years ago and are outside standard maintenance. However, the company has developed security updates for select legacy models where feasible and urges users to upgrade to supported hardware, disable remote management, use strong passwords, and restrict device access.
The NCSC recommends mitigations including browse-down architecture, prompt patching, application allowlisting, host-based intrusion detection, and multifactor authentication to defend against these attacks. This advisory adds to APT28's long history of cyber operations, including the 2015 attack on the German parliament and the 2018 attempted attack on the OPCW.