Last updated 1 month ago
The United Kingdom Government, through its National Cyber Security Centre (NCSC), disclosed a campaign by Russian state-sponsored threat actor APT28 targeting vulnerable routers to enable DNS hijacking operations. The campaign was publicly disclosed on 2026-05-01, though the exact discovery date and duration of the operation remain unspecified. The attack affected government and potentially other sectors, with no specific record count or user population provided.
APT28 exploited unpatched vulnerabilities in routers to modify DNS settings, redirecting traffic to adversary-controlled infrastructure. This enabled adversary-in-the-middle attacks that intercepted and exfiltrated passwords and authentication tokens. The attack chain involved initial exploitation of router firmware flaws, followed by DNS configuration manipulation to facilitate credential theft. No specific CVEs were cited in the disclosure.
The NCSC issued a security advisory detailing the threat actor's tactics, techniques, and procedures, including recommended mitigations such as router firmware updates and DNS monitoring. No further post-incident developments, such as regulatory actions or litigation, were reported.
Exploitation of vulnerable routers to hijack DNS for adversary-in-the-middle attacks
This campaign underscores the critical need for organizations to maintain rigorous patch management for network infrastructure devices, particularly routers and firewalls, which are often overlooked in vulnerability management programs. The use of DNS hijacking to enable credential theft highlights the importance of implementing DNSSEC and monitoring DNS traffic for anomalies. Additionally, the targeting of authentication tokens reinforces the necessity of multi-factor authentication and short-lived session tokens to mitigate the impact of credential interception.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector
Threat Actor
Continent
Country
Industry
Attack Vector
Threat Actor