UK and Allies Disrupt Global DNS Hijacking Campaign Linked to Russia’s APT28
An international coalition of security agencies, led by the UK’s National Cyber Security Centre (NCSC) and the FBI, has disrupted a major cyber-espionage operation targeting thousands of home and small-office routers. The campaign, attributed to the Russian military intelligence unit known as APT28 (also documented as Fancy Bear or Pawn Storm), utilized compromised hardware to perform sophisticated DNS hijacking to steal Microsoft 365 authentication tokens.
Weaponizing the "Edge" of the Network
The operation marks a significant escalation in the use of "Edge" devices for state-sponsored intelligence gathering. According to reports from The Record and TechCrunch, APT28 exploited known vulnerabilities in unpatched routers to gain administrative access. Once inside, the actors modified the Domain Name System (DNS) settings of the devices.
DNS hijacking allows attackers to intercept a user’s request to visit a legitimate website — such as outlook.office365.com — and silently reroute the traffic to a malicious server controlled by the hackers. BleepingComputer notes that the secondary servers were designed to look identical to legitimate login pages, tricking victims into entering their credentials or unwittingly handing over active session tokens.
Stealing the "Keys to the Kingdom"
The primary objective of this campaign was the theft of Microsoft 365 tokens. Unlike traditional password theft, stealing an authentication token can allow an attacker to bypass multi-factor authentication (MFA) by masquerading as an already-validated session.
Bloomberg and Infosecurity Magazine report that the NCSC has tracked these "man-in-the-middle" attacks across several sectors, including government, defense, and critical infrastructure. By controlling the router, the attackers bypassed corporate perimeter defenses, as the malicious activity appeared to originate from a "trusted" home IP address.
A Coordinated Takedown
In a rare public disclosure, the NCSC and the FBI published a joint advisory detailing the technical indicators of the campaign. The disruption involved "sinkholing" the malicious domains used by APT28 and providing automated scripts for ISPs to help identify and remediate compromised customer routers. Krebs on Security highlights that while the immediate threat has been mitigated, the sheer volume of vulnerable, unpatched routers globally remains a persistent "reservoir" for future state-linked operations.
Primary Intel & Reports: NCSC Official Advisory, The Record, BleepingComputer, MITRE ATT&CK: APT28, TechCrunch
The CyberSignal Analysis
The APT28 router campaign represents a shift toward Infrastructure-Level Espionage, where the target is not the computer, but the gateway itself.
- The Fallibility of "Trusted" IPs: Most Security Operations Centers (SOCs) treat traffic coming from a known employee’s home IP as lower risk. By compromising the home router, APT28 effectively turned the "Safe Harbor" of remote work into a primary attack vector. This necessitates a move toward Zero Trust Network Access (ZTNA), where no IP — internal or external — is granted inherent trust.
- DNS as a Single Point of Failure: This attack proves that DNS is the "Achilles' Heel" of web security. If an attacker controls the DNS, HTTPS certificates can occasionally be spoofed or bypassed via "striping" techniques. Organizations should enforce DNS over HTTPS (DoH) or DNS over TLS (DoT) to ensure that DNS queries are encrypted and cannot be tampered with by a compromised local router.
- Operational Takeaway: IT leaders must prioritize Firmware Lifecycle Management. Consumer-grade routers are often neglected in corporate security policies. Organizations should consider providing managed, corporate-grade hardware for high-value remote employees or enforcing strict "Endpoint Integrity" checks that verify DNS settings before allowing a VPN or SaaS connection.
