Russian APT28 Hijacks SOHO Router DHCP/DNS Settings to Redirect Traffic and Harvest Credentials
What Happened — The Russian state‑linked group APT28 (GRU) has been exploiting known vulnerabilities in consumer‑grade routers (e.g., TP‑Link WR841N, MikroTik) to modify DHCP and DNS configurations. The changes force victim devices to resolve attacker‑controlled DNS servers, enabling traffic redirection, man‑in‑the‑middle interception, and credential theft.
Why It Matters for TPRM —
- Router compromise can cascade to every downstream endpoint, exposing corporate credentials and sensitive data.
- DNS hijacking undermines network integrity, potentially disrupting services and violating compliance requirements.
- The attack leverages publicly disclosed CVEs, indicating that unpatched third‑party hardware remains a high‑risk vector.
Who Is Affected — Organizations that rely on unmanaged or poorly managed SOHO/branch routers across all sectors, especially those with remote workers, retail locations, and small‑office deployments.
Recommended Actions — Conduct an inventory of all network edge devices, verify firmware versions, apply patches (e.g., for CVE‑2023‑50224), disable remote administration, enforce strong admin credentials, and monitor DHCP/DNS configuration changes.
Technical Notes — Attack vector: exploitation of router firmware vulnerabilities (CVE‑2023‑50224) → unauthorized DHCP/DNS modification → traffic redirection to attacker‑controlled VPSs → credential harvesting (passwords, auth tokens). Data types captured include login credentials for email, SaaS platforms, and internal applications. Source: https://www.helpnetsecurity.com/2026/04/07/russian-hackers-router-hijacking-dns-credential-theft/