Russian APT28 Hackers Hijack Routers to Steal Credentials
Russian APT28 Hackers Hijack Routers to Steal Credentials
https://www.infosecurity-magazine.com/news/russia-apt28-hijack-routers-uk-ncsc/
Publish Date: 2026-04-07 11:30:00
Source Domain: www.infosecurity-magazine.com
Russian hacking group APT28 has been exploiting vulnerable internet routers to redirect traffic through attacker-controlled servers and steal credentials from targeted organizations, the UK government has warned.
In a new advisory published on April 7, the UK’s National Cyber Security Centre (NCSC) said it detected two new malicious campaigns it attributed to APT28.
Both campaigns are linked to a list of virtual private servers (VPS), which have been actively modified by APT28 since 2024 to operate as malicious domain name system (DNS) servers.
“These VPSs typically receive high volumes of DNS requests originating from routers that had been exploited by the actor likely utilising public vulnerabilities,” the NCSC advisory noted.
The NCSC assessed that the initial DNS hijacking operations are “opportunistic in nature,” meaning that the APT28 hackers likely use this method to first gain visibility of a large pool of candidates and then filter down users at each stage in the exploitation chain to triage for “victims of likely intelligence value.”
The UK government associates APT28 “almost certainly” to the Russian General Staff Main Intelligence Directorate’s (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165, is known under many other names, including Fancy Bear, Forest Blizzard, Strontium, the Sednit Gang, and Sofacy.
In a separate report, also published on April 7, Microsoft Threat Intelligence said APT28 and and its sub-group tracked as Storm-2754, started compromising VPS servers to exploit small office/home office (SOHO) routers “since at least August 2025.”
First Activity Cluster Targets TP-Link Routers
In the first activity cluster identified by the British cybersecurity agency, the dynamic host configuration protocol (DHCP) DNS settings of compromised SOHO routers, mostly TP-Link routers, were modified to include actor-owned IP addresses.
One of the router models appearing in this campaign, the…
