APT28 exploit routers to enable DNS hijacking operations

Russian cyber actor APT28 exploit vulnerable routers to hijack DNS, enabling adversary‑in‑the‑middle attacks and theft of passwords and authentication tokens.

Executive summary

Russian cyber actors APT28 have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web and email related services. This puts organisations at risk of credential theft, data manipulation and broader compromise.

Source: https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations