TP-Link: Russian APT28 Hackers Hijack Routers to Steal Credentials

Russian APT28 Exploits Vulnerable Routers in Large-Scale Credential Theft Campaign

The UK’s National Cyber Security Centre (NCSC) has issued a warning about two ongoing cyberespionage campaigns by the Russian hacking group APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy), which is linked to Russia’s GRU military intelligence unit. Since early 2024, APT28 has been hijacking vulnerable internet routers particularly TP-Link models to redirect traffic through attacker-controlled servers and steal credentials from targeted organizations.

How the Attack Works

APT28 has repurposed virtual private servers (VPS) as malicious DNS servers, intercepting high volumes of DNS requests from compromised routers. The group employs an opportunistic approach, initially casting a wide net to identify potential victims before narrowing down targets of intelligence value.

In one campaign, APT28 exploited CVE-2023-50224, a vulnerability in TP-Link WR841N routers that allows unauthenticated attackers to extract credentials via crafted HTTP requests. By altering the DHCP DNS settings on these routers, the group forced downstream devices (such as laptops and phones) to resolve requests through their malicious servers. This enabled adversary-in-the-middle (AitM) attacks, allowing APT28 to harvest passwords, OAuth tokens, and other credentials from web and email services.

Microsoft Threat Intelligence further reported that APT28 and its sub-group Storm-2754 have been compromising SOHO routers since at least August 2023, expanding their infrastructure to facilitate these attacks.

Impact and Attribution

The NCSC assesses that APT28’s operations are highly targeted, focusing on entities of strategic interest to Russian intelligence. While the initial router compromises appear broad, the group refines its focus at later stages to prioritize high-value victims. The stolen credentials could enable further unauthorized access, though the exact scope of follow-on attacks remains unclear.

This campaign underscores the persistent threat posed by state-backed cyber actors leveraging common vulnerabilities in consumer-grade networking devices to conduct large-scale espionage.

Source: https://www.infosecurity-magazine.com/news/russia-apt28-hijack-routers-uk-ncsc/

TP-Link Systems Inc. cybersecurity rating report: https://www.rankiteo.com/company/tp-link

"id": "TP-1775579951",
"linkid": "tp-link",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'location': 'Global (targeted entities likely in UK '
                                    'and other regions)',
                        'type': 'Organizations of strategic interest to '
                                'Russian intelligence'}],
 'attack_vector': 'Exploiting vulnerable routers (CVE-2023-50224), '
                  'adversary-in-the-middle (AitM) attacks, malicious DNS '
                  'servers',
 'data_breach': {'data_exfiltration': 'Yes',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information, authentication tokens)',
                 'type_of_data_compromised': 'Credentials (passwords, OAuth '
                                             'tokens), web and email service '
                                             'data'},
 'date_detected': '2024',
 'description': 'The UK’s National Cyber Security Centre (NCSC) has issued a '
                'warning about two ongoing cyberespionage campaigns by the '
                'Russian hacking group APT28 (also known as Fancy Bear, Forest '
                'Blizzard, and Sofacy), linked to Russia’s GRU military '
                'intelligence unit. Since early 2024, APT28 has been hijacking '
                'vulnerable internet routers, particularly TP-Link models, to '
                'redirect traffic through attacker-controlled servers and '
                'steal credentials from targeted organizations.',
 'impact': {'data_compromised': 'Passwords, OAuth tokens, credentials from web '
                                'and email services',
            'identity_theft_risk': 'High',
            'systems_affected': 'TP-Link WR841N routers, downstream devices '
                                '(laptops, phones)'},
 'initial_access_broker': {'backdoors_established': 'Malicious DNS servers, '
                                                    'DHCP settings alteration',
                           'entry_point': 'Vulnerable TP-Link routers '
                                          '(CVE-2023-50224)',
                           'high_value_targets': 'Entities of strategic '
                                                 'interest to Russian '
                                                 'intelligence'},
 'investigation_status': 'Ongoing',
 'motivation': 'Cyberespionage, credential theft for intelligence gathering',
 'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
                                           'consumer-grade routers, '
                                           'opportunistic targeting'},
 'references': [{'source': 'UK National Cyber Security Centre (NCSC)'},
                {'source': 'Microsoft Threat Intelligence'}],
 'threat_actor': 'APT28 (Fancy Bear, Forest Blizzard, Sofacy, Storm-2754)',
 'title': 'Russian APT28 Exploits Vulnerable Routers in Large-Scale Credential '
          'Theft Campaign',
 'type': 'Cyberespionage',
 'vulnerability_exploited': 'CVE-2023-50224 (TP-Link WR841N routers)'}