๐ก๏ธ BREAKING ALERT โ APT28 ROUTER EXPLOITATION ENABLING DNS HIJACKING | IMMEDIATE ACTION REQUIRED
Published Monday, June 29, 2026 at 01:10 PM PT BLUF: Russian state-sponsored threat actor APT28 is actively exploiting vulnerable routers to hijack DNS and conduct adversary-in-the-middle (AiTM) attacks, enabling theft of passwords and authentication tokens. All organisations operating internet-facing or edge routers should treat this as an active threat requiring immediate review. DETAILS APT28 (also known as Fancy Bear; attributed to Russian military intelligence, GRU) is exploiting vulnerable routers to manipulate DNS resolution, redirecting traffic through attacker-controlled infrastructure. The attack methodology enables AiTM positioning, allowing APT28 to intercept, inspect, and modify network traffic without detection by end users. Confirmed objectives include credential theft โ specifically passwords and authentication tokens โ which can enable follow-on intrusions into enterprise and government networks. The UK National Cyber Security Centre (NCSC) has published a formal advisory on this activity; the advisory is co-attributed, suggesting involvement of additional Five Eyes partner agencies (specific co-signatories not confirmed in source material at time of writing). This activity is consistent with APT28โs established pattern of targeting network infrastructure as an initial access vector, as previously observed in campaigns against Cisco and other edge devices. IMPACT Who is affected: Any organisation operating routers with unpatched firmware, default credentials, or exposed management interfaces โ particularly government, defence, critical national infrastructure, and private sector entities in NATO-aligned countries. Scope: Network-wide. Successful DNS hijacking affects all devices routing traffic through a compromised router, regardless of endpoint security posture. Data at risk: Credentials, session tokens, and potentially any unencrypted or improperly validated traffic transiting affected infrastructure. Broader context: UK NCSC has previously noted hostile states are linked to approximately three-quarters of cyber attacks affecting UK critical systems โ this advisory is consistent with that threat picture. RECOMMENDED ACTIONS Audit all routers immediately โ identify firmware versions, check for available patches, and apply updates without delay. Disable remote management interfaces where not operationally required; restrict access to trusted IPs only. Rotate credentials for all network devices and any accounts whose traffic may have transited potentially compromised infrastructure. Review DNS configurations on edge devices for unauthorised modifications; compare against known-good baselines. Inspect authentication logs for anomalous token usage or credential reuse indicative of AiTM interception. Consult the full NCSC advisory at ncsc.gov.uk for specific indicators of compromise (IoCs) and technical mitigations. SOURCES UK NCSC News Advisory: APT28 exploit routers to enable DNS hijacking operations โ ncsc.gov.uk UK NCSC All Resources: APT28 exploit routers to enable DNS hijacking operations โ UNCERTAINTY FLAG: Specific router models, CVE identifiers, and co-authoring agencies for this advisory are not confirmed in available source material. Consult the full NCSC publication for technical specifics before scoping your response.