{"id":232222,"date":"2026-04-07T11:30:00","date_gmt":"2026-04-07T15:30:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/07\/russian-apt28-hackers-hijack-routers-to-steal-credentials\/"},"modified":"2026-04-07T14:05:10","modified_gmt":"2026-04-07T18:05:10","slug":"russian-apt28-hackers-hijack-routers-to-steal-credentials","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/07\/russian-apt28-hackers-hijack-routers-to-steal-credentials\/","title":{"rendered":"Russian APT28 Hackers Hijack Routers to Steal Credentials"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/russia-apt28-hijack-routers-uk-ncsc\/\">Russian APT28 Hackers Hijack Routers to Steal Credentials<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/russia-apt28-hijack-routers-uk-ncsc\/\">https:\/\/www.infosecurity-magazine.com\/news\/russia-apt28-hijack-routers-uk-ncsc\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-07 11:30:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>Russian hacking group APT28 has been exploiting vulnerable internet routers to redirect traffic through attacker-controlled servers and steal credentials from targeted organizations, the UK government has warned.<\/p>\n<p>In a new advisory published on April 7, the UK\u2019s National Cyber Security Centre (NCSC) said it detected two new malicious campaigns it attributed to APT28.<\/p>\n<p>Both campaigns are linked to a list of virtual private servers (VPS), which have been actively modified by APT28 since 2024 to operate as malicious domain name system (DNS) servers.<\/p>\n<p>\u201cThese VPSs typically receive high volumes of DNS requests originating from routers that had been exploited by the actor likely utilising public vulnerabilities,\u201d the NCSC advisory noted.<\/p>\n<p>The NCSC assessed that the initial DNS hijacking operations are \u201copportunistic in nature,\u201d meaning that the APT28 hackers likely use this method to first gain visibility of a large pool of candidates and then filter down users at each stage in the exploitation chain to triage for \u201cvictims of likely intelligence value.\u201d<\/p>\n<p>The UK government associates APT28 \u201calmost certainly\u201d to the Russian General Staff Main Intelligence Directorate\u2019s (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165, is known under many other names, including Fancy Bear, Forest Blizzard, Strontium, the Sednit Gang, and Sofacy.<\/p>\n<p>In a separate report, also published on April 7, Microsoft Threat Intelligence said APT28 and\u00a0and its sub-group tracked as Storm-2754, started compromising VPS servers to exploit\u00a0small office\/home office (SOHO) routers &#8220;since at least August 2025.&#8221;<\/p>\n<h2><strong>First Activity Cluster Targets TP-Link Routers<\/strong><\/h2>\n<p>In the first activity cluster identified by the British cybersecurity agency, the dynamic host configuration protocol (DHCP) DNS settings of compromised SOHO routers, mostly TP-Link routers, were modified to include actor-owned IP addresses.<\/p>\n<p>One of the router models appearing in this campaign, the&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/russia-apt28-hijack-routers-uk-ncsc\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Russian APT28 Hackers Hijack Routers to Steal Credentials https:\/\/www.infosecurity-magazine.com\/news\/russia-apt28-hijack-routers-uk-ncsc\/ Publish Date: 2026-04-07 11:30:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":232223,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/5ec2af2f-60e1-4d68-ab5c-dafdb43bc467.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31],"class_list":["post-232222","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232222"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=232222"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232222\/revisions"}],"predecessor-version":[{"id":232224,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232222\/revisions\/232224"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/232223"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=232222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=232222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=232222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}