Wireless router with connected cables showing Russian hackers DNS hijacking and credential theft

NCSC Alert: Large-Scale Credential Theft by Russian Hackers Employs DNS Hijacking via Exploited Routers

Russian hackers linked to the advanced persistent threat actor APT28 are exploiting thousands of vulnerable routers to enable credential theft via DNS hijacking. The tactic involves manipulating DNS records to redirect traffic to malicious infrastructure operated by the threat actor.

Also known as Forest Blizzard, Fancy Bear, and STRONTIUM, APT28 is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 was responsible for the attack on the German Parliament and targeting the Organization for the Prohibition of Chemical Weapons (OPCW).

The group was also linked to the 2016 hacking of the Democratic National Committee (DNC), the Clinton campaign hack, and the 2017 Emmanuel Macron leak. APT28 has also frequently targeted Microsoft, NATO, think tanks, journalists, and diplomatic missions.

Russian hackers exploit vulnerable routers for DNS hijacking

According to a cybersecurity advisory issued by the UK National Cyber Security Centre (NCSC), the attackers overwrite DHCP and DNS settings to redirect traffic to attacker-controlled DNS servers, enabling adversary-in-the-middle (AitM) attacks to exfiltrate passwords and OAuth tokens.

However, the attacks are opportunistic, with Russian hackers selecting high-profile targets after analyzing the stolen data at each stage.

Between 2024 and 2026, the attackers have used Virtual Private Servers (VPSs) to enable DNS hijacking via compromised routers. They configured SOHO routers using the threat actor’s IP addresses and passed them to downstream devices, such as laptops and smartphones, in the first cluster.

Russian hackers also frequently exploited TP-Link WR841N routers affected by CVE-2023-50224 for credential theft. The medium-severity (CVSS v3 6.5) Improper Authentication Information Disclosure Vulnerability could enable network-adjacent attackers to disclose sensitive information, such as router credentials, through specially crafted HTTP GET requests.

After obtaining the router’s credentials, they manipulate the DHCP DNS records by setting a malicious IP address as the primary DNS and a legitimate address as the secondary DNS. In some cases, the attackers set both the primary and secondary DNS to threat-actor-controlled IP addresses. In the second cluster, the Russian hackers also exploited MikroTik routers in follow-on attacks, especially in Ukraine.

The malicious DNS servers would then resolve domain names for various services, including email applications and login pages, to the threat actor’s IP addresses.

Outlook, Office, and Microsoft 365 domains were among the most targeted, although Russian hackers also targeted non-Microsoft services. After successful DNS hijacking, the Russian hackers would then attempt credential theft through AitM attacks if the requests matched the targeted services or keywords. Nevertheless, DNS requests from non-targeted services would be resolved to legitimate IP addresses.

Meanwhile, other threat groups have applied DNS hijacking for credential theft. Between 2017 and 2019, Turkish hackers employed DNS hijacking for cyber espionage against intelligence targets in Asia, Europe, and North America during the Sea Turtle hacking campaign. The Sea Turtle DNS hijacking campaign exploited at least 7 patched vulnerabilities and affected over 40 organizations.

“The FrostArmada campaign marks a definitive end to the era where home routers could be treated as separate from the corporate security perimeter,” said Noelle Murata, Sr. Security Engineer, Xcape. “By turning CVE-2023-50224 into an industrial-scale tool for DNS hijacking, APT28 has effectively bypassed the multi-million dollar ‘front door’ defenses of enterprise security by camping in the living rooms of their employees. This isn’t just about unpatched routers; it’s an architectural exploit of the DNS ecosystem that turns a standard WFH connection into a persistent state-level surveillance node.”

How to prevent credential theft from DNS hijacking

The NCSC advised network defenders to study the indicators of compromise to detect attempted credential theft via DNS hijacking.

The agency also recommended protecting management interfaces, updating devices and software, implementing security monitoring, and adding priority applications to an allowlist that filters requests from suspicious IP addresses.

Other recommendations include using host-based intrusion detection systems and enabling multi-factor authentication to prevent intrusions following credential theft.

“For security leaders, the lesson is that ‘Bring Your Own Device’ has now extended to ‘Bring Your Own Network Infrastructure,’” added Murata. “To survive this shift, organizations must mandate phishing-resistant FIDO2 hardware keys to reduce the AitM token theft and implement certificate pinning for all corporate-managed endpoints. Relying on user discretion to spot a TLS warning is no longer a viable security control when the adversary is a state-sponsored unit with the patience to triage thousands of routers for a single high-value credential.”

“If your remote security strategy ends at the laptop, you are just waiting for a Russian state actor to sign into your corporate web applications using your employee’s home internet,” concluded Murata.