mobile-menu-icon
Threats & Attacks

Russian Military Intelligence Hijacks Routers in Massive DNS Poisoning Campaign

Date April 8, 2026 / 4 Min Read
Russian Military Intelligence Hijacks Routers in Massive DNS Poisoning Campaign

Russia’s military intelligence service has been inside home and office routers across Europe and beyond for two years, stealing login credentials from anyone who connects to the compromised networks. The UK’s National Cyber Security Centre published a detailed advisory Monday confirming that APT28, assessed with high confidence to be Russia’s GRU 85th Main Special Service Centre, has compromised thousands of routers to conduct DNS hijacking operations that harvest passwords and authentication tokens.

The scale is significant. The NCSC identified two distinct clusters of malicious infrastructure each involving multiple Virtual Private Servers configured to operate as fake DNS resolvers. These servers have been receiving “high volumes of DNS requests” from compromised routers since at least 2024, according to the advisory. The FBI confirmed the campaign is ongoing and warned that Russian actors are actively exploiting TP-Link routers using CVE-2023-50224.

The Attack Method Is Deceptively Simple

APT28 exploits known vulnerabilities in Small Office/Home Office routers to modify their DHCP and DNS settings. Once inside a router, the attackers change its DNS server configuration to point to infrastructure they control. Every device that connects to the compromised network including laptops, smartphones and tablets inherit these poisoned DNS settings automatically.

When victims try to reach legitimate websites particularly Microsoft Outlook Web Access, the malicious DNS servers redirect them to convincing replica sites. Paul Chichester, NCSC Director of Operations described the tactic as leveraging “exploited vulnerabilities in widely used network devices” for sophisticated hostile operations. The attackers specifically target authentication flows to steal both passwords and OAuth tokens that grant persistent access to cloud services.

Microsoft confirmed that APT28 has conducted adversary-in-the-middle attacks against Microsoft 365 domains and observed the activity targeting government organisations in Africa that were not hosted on Microsoft infrastructure. The company’s Threat Intelligence team noted that “Forest Blizzard intercepted DNS requests and conducted follow-on collection” in these cases.

Router Manufacturers Are Not Keeping Up

The NCSC specifically named TP-Link routers as compromised in this campaign, particularly the WR841N model exploited via CVE-2023-50224. This vulnerability allows unauthenticated attackers to extract credentials through specially crafted HTTP requests, a flaw that should never have reached production. MikroTik devices also appear in the compromised infrastructure logs, though the specific vulnerabilities used against those models were not disclosed in the advisory.

TechCrunch reported that the campaign targeted “unpatched routers” using “previously disclosed vulnerabilities” which suggests this is not sophisticated zero-day exploitation but opportunistic attacks against devices that consumers and small businesses have failed to update. That makes the scale of compromise even more concerning as thousands of routers are falling to known, patchable flaws.

The Intelligence Operation Behind the Technical Attack

The NCSC assessed that these operations are opportunistic in nature. APT28 casts a wide net to compromise as many routers as possible, then filters the harvested credentials to identify targets of intelligence value. This approach allows Russia’s military intelligence to monitor a vast pool of potential targets before focusing resources on the most valuable accounts.

Black Lotus Labs, Lumen’s research arm, observed APT28 targeting “a small number of government organizations” in North Africa, Central America and Southeast Asia through this campaign. The geographic spread suggests this is not a targeted operation against specific entities but a global intelligence collection effort designed to identify and exploit high-value accounts as they surface in the harvested data.

What Router Owners Must Do This Week

Check your router’s DNS settings immediately. If your router is configured to use DNS servers you do not recognise, particularly IP addresses that are not your internet service provider’s standard resolvers, assume compromise. The FBI advises users to “upgrade end-of-support devices, update to latest firmware versions, change default usernames and passwords and disable remote management interfaces from the Internet.”

Any certificate warnings in web browsers or email applications should be treated as potential indicators of DNS hijacking. The NCSC and Microsoft have published technical indicators of compromise that network administrators can use to identify malicious DNS infrastructure, though these indicators will only catch the specific servers disclosed in this advisory.

For organizations with remote workers, this campaign underscores why corporate VPN access should never rely on the security of home networks. If employees are accessing corporate resources through compromised routers, their authentication tokens can be harvested regardless of endpoint security controls. The FBI specifically recommends that organizations review relevant policies regarding how employees access sensitive data in light of this campaign.

References

  1. NCSC Advisory: APT28 exploit routers to enable DNS hijacking operations
  2. FBI Internet Crime Complaint Center: Russian GRU Exploiting Vulnerable Routers
  3. Infosecurity Magazine: Russian APT28 Hackers Hijack Routers to Steal Credentials
  4. BleepingComputer: Authorities disrupt router DNS hijacks used to steal Microsoft 365 logins
  5. TechCrunch: Russian government hackers broke into thousands of home routers
  6. The Register: Russia’s APT28 behind latest wave of router, DNS attacks

This post is also available in: Svenska

Related News


CISA Updates Akira Advisory as Ransomware Earns $244 Million

CISA issued an updated joint advisory on Akira ransomware on 13 November, warning that the group has claimed $244 million in ransom payments since March…

calendar April 3, 2026

Railway PaaS Weaponized in Mass Microsoft 365 Device Code Phishing Campaign

calendar March 24, 2026
Kratos Phishing Kit Targets Outpost24 Executive in Seven-Stage Attack

Kratos Phishing Kit Targets Outpost24 Executive in Seven-Stage Attack

calendar March 20, 2026

Iran’s Cyber Proxies Launch Multi-Vector Retaliation Against Western Networks

Iran's cyber offensive capability has shifted into high gear following joint US-Israeli military strikes in late February 2026. Multiple Iranian state-linked groups and hacktivist proxies…

calendar March 10, 2026

SmartLoader Gang Builds Fake GitHub Ecosystem to Spread StealC via Trojanised Oura MCP

A known cybercriminal operation has spent months building an elaborate fake GitHub ecosystem to poison the AI development supply chain. The SmartLoader gang, first identified…

calendar February 17, 2026

Take the next step - secure your business

Ensure your company is protected against cyber threats. Contact us to learn more.

Contact Us
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.