Published Monday, June 29, 2026 at 01:10 PM PT

BREAKING ALERT โ€” APT28 ROUTER EXPLOITATION ENABLING DNS HIJACKING | IMMEDIATE ACTION REQUIRED

BLUF: Russian state-sponsored threat actor APT28 is actively exploiting vulnerable routers to hijack DNS and conduct adversary-in-the-middle (AiTM) attacks, enabling theft of passwords and authentication tokens. All organisations operating internet-facing or edge routers should treat this as an active threat requiring immediate review.

DETAILS

  • APT28 (also known as Fancy Bear; attributed to Russian military intelligence, GRU) is exploiting vulnerable routers to manipulate DNS resolution, redirecting traffic through attacker-controlled infrastructure.
  • The attack methodology enables AiTM positioning, allowing APT28 to intercept, inspect, and modify network traffic without detection by end users.
  • Confirmed objectives include credential theft โ€” specifically passwords and authentication tokens โ€” which can enable follow-on intrusions into enterprise and government networks.
  • The UK National Cyber Security Centre (NCSC) has published a formal advisory on this activity; the advisory is co-attributed, suggesting involvement of additional Five Eyes partner agencies (specific co-signatories not confirmed in source material at time of writing).
  • This activity is consistent with APT28’s established pattern of targeting network infrastructure as an initial access vector, as previously observed in campaigns against Cisco and other edge devices.

IMPACT

  • Who is affected: Any organisation operating routers with unpatched firmware, default credentials, or exposed management interfaces โ€” particularly government, defence, critical national infrastructure, and private sector entities in NATO-aligned countries.
  • Scope: Network-wide. Successful DNS hijacking affects all devices routing traffic through a compromised router, regardless of endpoint security posture.
  • Data at risk: Credentials, session tokens, and potentially any unencrypted or improperly validated traffic transiting affected infrastructure.
  • Broader context: UK NCSC has previously noted hostile states are linked to approximately three-quarters of cyber attacks affecting UK critical systems โ€” this advisory is consistent with that threat picture.
  1. Audit all routers immediately โ€” identify firmware versions, check for available patches, and apply updates without delay.
  2. Disable remote management interfaces where not operationally required; restrict access to trusted IPs only.
  3. Rotate credentials for all network devices and any accounts whose traffic may have transited potentially compromised infrastructure.
  4. Review DNS configurations on edge devices for unauthorised modifications; compare against known-good baselines.
  5. Inspect authentication logs for anomalous token usage or credential reuse indicative of AiTM interception.
  6. Consult the full NCSC advisory at ncsc.gov.uk for specific indicators of compromise (IoCs) and technical mitigations.

SOURCES

  • UK NCSC News Advisory: APT28 exploit routers to enable DNS hijacking operations โ€” ncsc.gov.uk
  • UK NCSC All Resources: APT28 exploit routers to enable DNS hijacking operations

โš  UNCERTAINTY FLAG: Specific router models, CVE identifiers, and co-authoring agencies for this advisory are not confirmed in available source material. Consult the full NCSC publication for technical specifics before scoping your response.