The UK’s National Cyber Security Centre (NCSC) has issued a stark warning regarding the actions of the Russian hacking group APT28, revealing that the group has been exploiting vulnerabilities in internet routers to redirect online traffic through servers under their control. This alarming tactic aims to steal credentials from various targeted organizations, showcasing the persistent threat posed by state-sponsored cybercriminals.
In its advisory, published on April 7, the NCSC noted the detection of two distinct malicious campaigns that it attributes to APT28, a group linked to Russia’s General Staff Main Intelligence Directorate (GRU), specifically the Military Intelligence Unit known as 26165. APT28 is also widely recognized under several aliases, including Fancy Bear, Forest Blizzard, Strontium, and the Sednit Gang.
Since 2024, NCSC has observed that APT28 has been manipulating a list of virtual private servers (VPS) that are actively configured to masquerade as malicious domain name system (DNS) servers. The advisory indicates that these VPSs are receiving a high volume of DNS requests sourced from routers that have been compromised, with APT28 likely leveraging public vulnerabilities to gain access.
The NCSC characterizes the initial operations of these DNS hijacking attacks as “opportunistic,” suggesting that APT28’s hackers are casting a wide net initially to identify potential victims. By gaining visibility across a diverse range of users, they can subsequently focus their attacks on individuals or organizations deemed to have significant intelligence value.
In a separate report released on the same day by Microsoft Threat Intelligence, it was highlighted that APT28 and a subgroup referred to as Storm-2754 began compromising VPS servers to target small office/home office (SOHO) routers as early as August 2025. This emphasizes the long-term strategy employed by the group to infiltrate organizations through common household and office devices.
The NCSC’s advisory identifies one activity cluster specifically targeting TP-Link routers. In this instance, the dynamic host configuration protocol (DHCP) DNS settings of compromised SOHO routers—primarily TP-Link models—were altered to include IP addresses controlled by the hackers. Notably, the TP-Link WR841N router model was reportedly exploited through a vulnerability designated as CVE-2023-50224. This vulnerability allows unauthorized attackers to extract sensitive information, including password credentials, through specially crafted HTTP GET requests.
The malicious changes made to the DNS settings would then affect any downstream devices connected to the compromised routers, such as laptops and smartphones. Consequently, any requests that aligned with APT28’s targeting criteria would be rerouted to the malevolent DNS servers operated by the hackers. In a subsequent phase of their attack, APT28 attempted to execute adversary-in-the-middle (AitM) tactics against ongoing browser sessions and desktop applications. The objective was clear: harvest usernames, passwords, OAuth tokens, and other credentials associated with web and email services.
The NCSC warned that any subsequent unauthorized logins using the stolen credentials might originate from additional infrastructure not detailed in their advisory, adding another layer of concern for potential victims.
In the second identified activity cluster, the NCSC observed compromised MikroTik and TP-Link routers also feeding DNS requests to malicious servers controlled by APT28. This infrastructure seemed to be integral to confrontational operations against specific MikroTik routers, which were likely selected due to their intelligence significance, especially those located in Ukraine.
To counter the credential theft orchestrated by APT28, the NCSC proposed a number of mitigation strategies designed to fortify defenses against such attacks. Recommendations include implementing a browse-down architecture to impede attackers from accessing critical assets easily. They also advised organizations to ensure that their systems run the latest supported software versions, apply security updates diligently, deploy antivirus software, and conduct regular malware scans.
Additional suggestions included adding applications to a whitelist, deploying host-based intrusion detection systems, and integrating multifactor authentication (MFA) into security protocols. These measures are essential in bolstering defense against the persistent and evolving tactics employed by groups like APT28.
Historically, APT28 has been linked to a range of high-profile cyber incidents, such as the 2015 cyber-attacks on the German parliament and an attempted breach of the Organisation for the Prohibition of Chemical Weapons (OPCW) in April 2018. These past activities underscore the ongoing threat posed by cybercriminal organizations that operate under the auspices of state intelligence agencies, emphasizing the need for continued vigilance in cybersecurity across all sectors.