Full Report
200 orgs and 5,000 devices compromised so far in Vlad's latest intelligence grab, Microsoft reckons The UK's National Cyber Security Centre (NCSC) has issued a fresh warning about Russia's ongoing targeting of routers to steal passwords and other secrets.…
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
* **Identification:** APT28 is a sophisticated cyber-espionage group widely attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
* **Aliases:** Fancy Bear, Forest Blizzard (Microsoft nomenclature), Sednit, Sofacy, Pawn Storm, Strontium.
* **Associations:** Directly linked to Russian military intelligence.
## Activity Summary
According to recent reports from the UK NCSC and Microsoft (April 2026), APT28 has been engaged in a large-scale campaign involving the compromise of over 5,000 devices and 200 organizations. The campaign focuses on exploiting vulnerabilities in Small Office/Home Office (SOHO) routers to facilitate DNS hijacking and Adversary-in-the-Middle (AiTM) attacks. This activity has been observed as an ongoing effort since 2021, with significant spikes in Ukraine and targeting of Western infrastructure.
## Tactics, Techniques & Procedures
* **Exploitation of Edge Devices:** Targeting SOHO routers (specifically TP-Link and Cisco) by exploiting known vulnerabilities.
* **DNS Hijacking:** Altering DNS server settings on compromised routers to redirect traffic.
* **Adversary-in-the-Middle (AiTM):** Downgrade/redirecting users to malicious copycat pages.
* **Credential Harvesting:** Serving fake login pages (e.g., Outlook clones) to capture user credentials.
* **Persistence:** Establishing backdoors on network hardware for follow-on access.
* **Inherent Inheritance:** Leveraging the fact that downstream devices (laptops, smartphones) inherit malicious DNS settings from the gateway router.
* **MITRE ATT&CK IDs (Inferred from T0 text):**
* T1584.002 (Infrastructure: DNS)
* T1557 (Adversary-in-the-Middle)
* T1201 (Password Policy Discovery / Credential Harvesting)
* T1037 (Boot or Logon Initialization Scripts / Persistence)
## Targeting
* **Sectors:** Military, Government, Enterprise organizations, and Critical Infrastructure.
* **Geography:** Global targeting with a heavy focus on Ukraine and the United Kingdom.
* **Victims:**
* 200+ organizations across various sectors.
* 5,000+ consumer and SOHO devices.
* Upstream organizations serving as conduits to larger enterprise targets.
## Tools & Infrastructure
* **Malware:** Unnamed backdoors specifically designed for Cisco and TP-Link firmware.
* **Legitimate Services Impersonated:** Outlook/Microsoft 365 login portals.
* **Infrastructure:**
* Malicious DNS infrastructure controlled by the actor.
* Compromised SOHO routers used as proxy points or redirection nodes.
* C2: Specific IPs and domains were not detailed in the text but are used for DNS redirection (Note: Always defang as `hxxp[://]`, `127[.]0[.]0[.]1`).
## Implications
The strategic shift toward compromising SOHO routers represents a move toward "living off the edge." By targeting home and small office routers, APT28 bypasses traditional enterprise perimeter security. This allows the GRU to gain access to high-value individuals working remotely and provides a foothold into larger corporate networks through upstream compromise. The ability to redirect DNS traffic allows for seamless credential harvesting and potentially large-scale DDoS capabilities.
## Mitigations
* **Patch Management:** Immediate patching of SOHO and enterprise router firmware (notably TP-Link and Cisco).
* **Hardening DNS:** Configuring devices to use encrypted DNS protocols (DoH or DoT) and hardcoding trusted DNS providers (e.g., 1[.]1[.]1[.]1 or 8[.]8[.]8[.]8) rather than relying on DHCP-assigned settings.
* **Multi-Factor Authentication (MFA):** Implementation of phishing-resistant MFA (FIDO2) to negate the impact of stolen credentials.
* **Device Auditing:** Regularly checking router DNS settings for unauthorized changes.
* **Zero Trust Architecture:** Ensuring the internal network does not inherently trust traffic based on its origin from a local gateway.