Russian APT28 Exploits SOHO Routers in Large-Scale Credential Harvesting Campaign
The UK National Cyber Security Centre (NCSC) issued an advisory on Tuesday warning that Russian state-backed hacking group APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy) has been actively compromising small office and home office (SOHO) routers since early 2024. The group, assessed as Military Intelligence Unit 26165 under Russia’s GRU, is manipulating routers’ DHCP and DNS settings to redirect network traffic through attacker-controlled servers, enabling the theft of passwords and authentication tokens from web and email services.
APT28 deploys malicious DNS resolvers on virtual private servers (VPS), then alters compromised routers to direct downstream devices such as laptops and phones to these servers. When users attempt to access targeted domains (e.g., Outlook, Office 365, and Microsoft authentication services), their traffic is rerouted to adversary-in-the-middle (AitM) infrastructure, while non-targeted requests resolve normally to avoid detection.
The NCSC identified TP-Link WR841N routers as one of the exploited models, likely leveraging CVE-2023-50224, an unauthenticated flaw allowing credential theft via HTTP requests. Once obtained, the attackers rewrite the router’s DHCP DNS settings, replacing the primary DNS with a malicious IP while preserving the original as a secondary fallback. Over 20 TP-Link models including Archer, WDR, and WR series have been targeted, alongside MikroTik routers, some of which were compromised in Ukraine, suggesting strategic intelligence value.
The campaign is described as opportunistic, with APT28 casting a broad net across exposed routers before filtering victims for high-value targets. While the NCSC recommends standard mitigations such as firmware updates, restricted management interfaces, and multi-factor authentication the advisory underscores the group’s persistent focus on credential harvesting for espionage purposes. APT28 has previously been linked to high-profile breaches, including the 2015 German Bundestag hack and the 2018 intrusion attempt at the Organisation for the Prohibition of Chemical Weapons.
TP-Link cybersecurity rating report: https://www.rankiteo.com/company/tp-link-corporation
"id": "TP-1775679846",
"linkid": "tp-link-corporation",
"type": "Vulnerability",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Global (with focus on Ukraine)',
'type': 'SOHO Router Users'}],
'attack_vector': 'Exploitation of SOHO routers (DHCP/DNS manipulation)',
'data_breach': {'data_exfiltration': 'Yes (redirected to attacker-controlled '
'servers)',
'personally_identifiable_information': 'Potentially (if '
'credentials include '
'PII)',
'sensitivity_of_data': 'High (authentication tokens, '
'email/web service credentials)',
'type_of_data_compromised': 'Credentials (passwords, '
'authentication tokens)'},
'date_detected': '2024',
'description': 'The UK National Cyber Security Centre (NCSC) issued an '
'advisory warning that Russian state-backed hacking group '
'APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy) '
'has been actively compromising small office and home office '
'(SOHO) routers since early 2024. The group manipulates '
'routers’ DHCP and DNS settings to redirect network traffic '
'through attacker-controlled servers, enabling the theft of '
'passwords and authentication tokens from web and email '
'services.',
'impact': {'data_compromised': 'Passwords and authentication tokens from web '
'and email services',
'identity_theft_risk': 'High (due to stolen credentials)',
'operational_impact': 'Network traffic redirection, potential '
'unauthorized access to sensitive services',
'systems_affected': 'SOHO routers (TP-Link WR841N, Archer, WDR, WR '
'series; MikroTik routers)'},
'initial_access_broker': {'backdoors_established': 'Malicious DNS resolvers '
'on VPS',
'entry_point': 'Exploited SOHO routers (e.g., '
'TP-Link, MikroTik)',
'high_value_targets': 'Outlook, Office 365, '
'Microsoft authentication '
'services'},
'investigation_status': 'Ongoing',
'motivation': 'Espionage, Credential Harvesting',
'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
'vulnerabilities (e.g., '
'CVE-2023-50224), weak router '
'security configurations'},
'recommendations': 'Firmware updates, restricted management interfaces, '
'multi-factor authentication, monitoring for unauthorized '
'DNS changes',
'references': [{'source': 'UK National Cyber Security Centre (NCSC)'}],
'response': {'containment_measures': 'Firmware updates, restricted management '
'interfaces, multi-factor '
'authentication'},
'threat_actor': 'APT28 (Fancy Bear, Forest Blizzard, Sofacy, Military '
'Intelligence Unit 26165 under Russia’s GRU)',
'title': 'Russian APT28 Exploits SOHO Routers in Large-Scale Credential '
'Harvesting Campaign',
'type': 'Credential Harvesting',
'vulnerability_exploited': 'CVE-2023-50224'}