Full Report
George Allison reports: In a new advisory, the NCSC warned that APT28, a cyber group linked to Russia’s GRU Military Unit 26165, has been exploiting vulnerabilities in edge network devices to conduct Domain Name System hijacking operations. DNS is the system that translates website addresses into the numerical IP addresses computers use to connect, and... Source
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
* **Primary Name:** APT28
* **Associated Unit:** Russian General Staff Main Intelligence Directorate (GRU), specifically Military Unit 26165 and the 85th Main Special Service Center (85th GTsSS).
* **Aliases:** Fancy Bear, Forest Blizzard.
## Activity Summary
Since at least 2024, APT28 has been engaged in a global campaign targeting edge network devices—specifically Small-Office Home-Office (SOHO) routers—to facilitate Domain Name System (DNS) hijacking. The operation involves compromising these devices to intercept unencrypted and encrypted traffic, enabling the theft of sensitive credentials and intelligence. In early April 2026, the FBI, DOJ, and international partners (including the UK NCSC) announced the disruption of a major GRU-controlled network of these compromised routers.
## Tactics, Techniques & Procedures
* **Exploitation of Edge Devices:** Exploiting known vulnerabilities in hardware to gain initial access.
* **CVE-2023-50224:** Specific exploitation of TP-Link routers using this vulnerability.
* **DNS Hijacking:** Modifying the device’s Dynamic Host Configuration Protocol (DHCP) and DNS settings.
* **Adversary-in-the-Middle (AitM):** Using actor-controlled DNS resolvers to provide fraudulent DNS answers for specific services.
* **SSL/TLS Interception:** Bypassing encryption by forcing users through certificate error warnings to view traffic in plaintext.
* **Credential Harvesting:** Capturing passwords, authentication tokens, and session data.
* **Filtering:** Indiscriminate compromise of a wide pool of devices, followed by targeted filtering for high-value intelligence.
## Targeting
* **Sectors:** Military, Government, and Critical Infrastructure.
* **Geography:** Worldwide, with specific mentions of the United States and partner nations including Canada, Czech Republic, Denmark, Estonia, Finland, Germany, Italy, Latvia, Lithuania, Norway, Poland, Portugal, Romania, Slovakia, and Ukraine.
* **Victims:** Personal web and email services (specifically Microsoft Outlook Web Access) and remote-working employees.
## Tools & Infrastructure
* **Hardware Targeted:** SOHO routers, specifically TP-Link models.
* **Infrastructure:** Actor-controlled DNS resolvers.
* **Malicious Redirection:** Redirection to malicious sites designed to harvest access tokens.
## Implications
This campaign demonstrates the GRU's strategic shift toward targeting the "edge" of the network, where security monitoring is often weaker. By hijacking DNS at the router level, APT28 can circumvent traditional endpoint protections and intercept data from all connected devices (laptops, phones). The ability to perform AitM attacks against encrypted services like Outlook Web Access poses a significant risk to the confidentiality of diplomatic and military communications.
## Mitigations
* **Hardware Lifecycle:** Upgrade end-of-support (EoL) devices that no longer receive security patches.
* **Patch Management:** Ensure all edge devices are updated to the latest firmware versions to remediate known vulnerabilities like CVE-2023-50224.
* **Credential Hygiene:** Change default usernames and passwords on all networking equipment.
* **Attack Surface Reduction:** Disable remote management interfaces from the Internet.
* **User Training:** Educate users and employees to never bypass or ignore SSL/TLS certificate warning errors in browsers.
* **Remote Work Security:** Implement VPNs and hardened application configurations for employees accessing sensitive data from home environments.