APT28 Exploits Router Vulnerabilities to Hijack DNS and Conduct Credential Theft
What Happened — Russian state‑sponsored group APT28 (Fancy Bear) has been targeting vulnerable network routers, modifying DHCP/DNS settings to redirect traffic through attacker‑controlled DNS servers. The hijacked DNS enables man‑in‑the‑middle (AitM) attacks that harvest passwords, OAuth tokens and other authentication credentials.
Why It Matters for TPRM —
- Router compromise creates a hidden, persistent foothold that can affect any downstream service provider.
- DNS hijacking can silently exfiltrate credentials from SaaS, email and cloud platforms, amplifying third‑party risk.
- The technique is opportunistic and scalable, meaning any organization using unmanaged or legacy routers may be exposed.
Who Is Affected — All sectors that rely on internet‑connected routers, especially telecom, cloud‑hosting, SaaS, and enterprises with on‑premise network infrastructure.
Recommended Actions —
- Inventory all routers and verify firmware is up‑to‑date; apply vendor patches immediately.
- Audit DHCP/DNS configurations for unauthorized changes; enable DNSSEC where possible.
- Deploy network‑level monitoring for anomalous DNS queries and unexpected DNS server changes.
- Review third‑party contracts for router supply‑chain security clauses and ensure vendors follow hardening standards.
Technical Notes — APT28 leverages known router firmware vulnerabilities (e.g., CVE‑2024‑XXXX) to gain administrative access, then overwrites DHCP/DNS options. The malicious DNS resolves legitimate domains to attacker‑controlled IPs, facilitating credential theft for web and email services. Source: NCSC UK – APT28 exploit routers to enable DNS hijacking operations