CVE Tools
Sign in
Back to feed
NCSC UK ·EN Open content

APT28 exploit routers to enable DNS hijacking operations

·6 min read
Read on NCSC UK

Executive summary

Russian cyber actors APT28 have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web and email related services. This puts organisations at risk of credential theft, data manipulation and broader compromise.

The DNS hijacking operations are believed to be opportunistic in nature, with the actor targeting a wide pool of victims and then likely filtering down for users of potential intelligence value at each stage of the exploitation chain.  

Introduction

The UK National Cyber Security Centre (NCSC) is providing details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of routers to enable DNS hijacking operations.

APT28 malicious DNS activity

Since 2024 and into 2026, APT28 has been configuring Virtual Private Servers (VPSs) to operate as malicious DNS servers [T1583.002, T1583.003]. These VPSs typically receive high volumes of DNS requests originating from routers that had been exploited by the actor likely utilising public vulnerabilities [T1584.008, T1588.006]. Investigations into this activity identified the following two banner pattern clusters containing multiple VPSs each.

Cluster one

The DHCP DNS server settings of compromised small office/home office (SOHO) routers were modified to include actor-owned IP addresses. These settings were subsequently inherited by downstream devices, for example laptops and phones.

Lookups for domain names containing key terms associated with particular services, often email applications or login pages, would then be resolved by the malicious DNS servers to further actor-owned IP addresses. DNS requests not matching the actor’s targeting criteria would instead be resolved to the legitimate IP addresses for the requested services.

The actor would then attempt to conduct adversary-in-the-middle (AitM) attacks against follow-on connections with the likely aim of harvesting user account credentials [T1557, T1586].   

The AitM activity could be conducted against both user browser sessions and desktop applications. Harvested authentication material could include both passwords and OAuth or similar authentication tokens. Subsequent malicious logins using this stolen data may originate from further infrastructure not listed in this advisory.

It is believed that the DNS hijacking operations are opportunistic in nature, with the actor gaining visibility of a large pool of candidate target users then filtering down users at each stage in the exploitation chain to triage for victims of likely intelligence value.

TP-Link router exploitation

One of the router models that APT28 exploited for their DNS poisoning operations was the TP-Link WR841N, likely using CVE-2023-50224 [T1584.008, T1588.006]. This vulnerability enables an unauthenticated attacker to obtain information such as password credentials via specially crafted HTTP GET requests.

Having obtained the credentials for a router, the actor was then able to send a second specially crafted HTTP GET request to alter the DHCP DNS settings of that router.

The GET request would typically set the router’s primary DNS server to a malicious IP address, whilst also setting the secondary DNS server to the original primary DNS server’s IP address. On occasion both the primary and secondary DNS server had been set to malicious IP addresses, indicating that a router had likely been exploited multiple times.

Other TP-Link router models were also targeted by APT28 to enable their DNS hijacking operations.  A list can be found in the Indicators of Compromise section.  

Cluster two

A subset of servers in this cluster received DNS requests via likely compromised devices including models of MikroTik and TP-Link routers. The DNS requests were forwarded from these servers to further remote actor-owned servers.

This cluster of infrastructure was also involved in interactive operations against a small number of MikroTik routers, often located in Ukraine, that were likely of intelligence value to the actor.  

Indicators of compromise

Known malicious and targeted infrastructure is listed below. Specific selectors are liable to change and it is therefore recommended that holistic tradecraft is used to detect DNS hijacking and AitM activity.

VPS banners

BannersBanner pattern 1

SSH on TCP port 56777

"dnsmasq-2.85" on UDP port 53

Banner pattern 2

SSH on TCP port 35681

"dnsmasq-2.85" on UDP port 53

For banner pattern 2, the DNS software was only present on some servers.

TP-Link router models exploited by APT28

The following is a list of TP-Link router models targeted by APT28. It is likely that this list is not exhaustive.

Router modelTP-LINK LTE WIRELESS N ROUTER MR6400TP-LINK WIRELESS DUAL BAND GIGABIT ROUTER ARCHER C5TP-LINK WIRELESS DUAL BAND GIGABIT ROUTER ARCHER C7TP-LINK WIRELESS DUAL BAND GIGABIT ROUTER WDR3600TP-LINK WIRELESS DUAL BAND GIGABIT ROUTER WDR4300TP-LINK WIRELESS DUAL BAND ROUTER WDR3500TP-LINK WIRELESS LITE N ROUTER WR740NTP-LINK WIRELESS LITE N ROUTER WR740N/WR741NDTP-LINK WIRELESS LITE N ROUTER WR749NTP-LINK WIRELESS N 3G/4G ROUTER MR3420TP-LINK WIRELESS N ACCESS POINT WA801NDTP-LINK WIRELESS N ACCESS POINT WA901NDTP-LINK WIRELESS N GIGABIT ROUTER WR1043NDTP-LINK WIRELESS N GIGABIT ROUTER WR1045NDTP-LINK WIRELESS N ROUTER WR840NTP-LINK WIRELESS N ROUTER WR841HPTP-LINK WIRELESS N ROUTER WR841NTP-LINK WIRELESS N ROUTER WR841N/WR841NDTP-LINK WIRELESS N ROUTER WR842NTP-LINK WIRELESS N ROUTER WR842NDTP-LINK WIRELESS N ROUTER WR845NTP-LINK WIRELESS N ROUTER WR941NDTP-LINK WIRELESS N ROUTER WR945N

Targeted domains

The following domain names were targeted by APT28 for redirection to AitM infrastructure. Further non-Outlook related domains were also noted.

Domain nameautodiscover-s.outlook[.]comimap-mail.outlook[.]comoutlook.live[.]comoutlook.office[.]comoutlook.office365[.]com

APT28 infrastructure

The following IP addresses were associated with the first cluster of malicious APT28 DNS servers and AitM infrastructure.

IP Address5.226.137[.]1515.226.137[.]2305.226.137[.]2315.226.137[.]2325.226.137[.]2345.226.137[.]2355.226.137[.]2425.226.137[.]2435.226.137[.]2445.226.137[.]24523.106.120[.]11937.221.64[.]7737.221.64[.]7837.221.64[.]9337.221.64[.]10137.221.64[.]11637.221.64[.]13137.221.64[.]14837.221.64[.]14937.221.64[.]15037.221.64[.]15137.221.64[.]16337.221.64[.]17337.221.64[.]19937.221.64[.]20837.221.64[.]22437.221.64[.]25464.120.31[.]9664.120.31[.]9764.120.31[.]9864.120.31[.]9964.120.31[.]10077.83.197[.]3777.83.197[.]3877.83.197[.]3977.83.197[.]4077.83.197[.]4177.83.197[.]4277.83.197[.]4377.83.197[.]4477.83.197[.]4577.83.197[.]4677.83.197[.]4777.83.197[.]4877.83.197[.]4977.83.197[.]5077.83.197[.]5177.83.197[.]5277.83.197[.]5377.83.197[.]5477.83.197[.]5577.83.197[.]5677.83.197[.]5777.83.197[.]5877.83.197[.]5977.83.197[.]6079.141.160[.]7879.141.161[.]6679.141.161[.]6779.141.161[.]6879.141.161[.]6979.141.161[.]7079.141.161[.]7179.141.161[.]7279.141.161[.]7379.141.161[.]7479.141.161[.]7579.141.161[.]7679.141.161[.]7779.141.161[.]7879.141.161[.]7979.141.161[.]8079.141.161[.]8179.141.161[.]8279.141.161[.]8379.141.161[.]8479.141.161[.]8579.141.173[.]7079.141.173[.]9679.141.173[.]9779.141.173[.]9879.141.173[.]10379.141.173[.]11979.141.173[.]12079.141.173[.]12179.141.173[.]12279.141.173[.]21179.141.173[.]23179.141.173[.]23279.141.173[.]233185.117.88[.]22185.117.88[.]28185.117.88[.]29185.117.88[.]30185.117.88[.]31185.117.88[.]50185.117.88[.]60185.117.88[.]61185.117.88[.]62185.117.89[.]32185.117.89[.]46185.117.89[.]47185.237.166[.]55185.237.166[.]56185.237.166[.]57185.237.166[.]58185.237.166[.]59185.237.166[.]60185.237.166[.]61185.237.166[.]62185.237.166[.]63185.237.166[.]64185.237.166[.]65185.237.166[.]66185.237.166[.]67185.237.166[.]68185.237.166[.]69185.237.166[.]70185.237.166[.]71185.237.166[.]72185.237.166[.]73185.237.166[.]74185.237.166[.]75185.237.166[.]224185.237.166[.]225185.237.166[.]226185.237.166[.]227185.237.166[.]228185.237.166[.]229185.237.166[.]230185.237.166[.]231185.237.166[.]232185.237.166[.]233185.237.166[.]234185.237.166[.]235185.237.166[.]236185.237.166[.]237185.237.166[.]238185.237.166[.]239185.237.166[.]240185.237.166[.]241185.237.166[.]242185.237.166[.]243185.237.166[.]244185.237.166[.]245185.237.166[.]246185.237.166[.]247185.237.166[.]248185.237.166[.]249

The following IP addresses were associated with the second cluster of APT28 infrastructure involved in DNS hijacking and wider router operations.

IP Address64.44.154[.]22764.44.154[.]23764.44.154[.]23864.44.154[.]23964.44.154[.]24077.83.198[.]3979.141.173[.]12379.141.173[.]20079.141.173[.]21079.141.173[.]24679.141.173[.]24779.141.173[.]24879.141.173[.]24979.141.173[.]25079.141.173[.]25179.141.173[.]25279.141.173[.]25379.141.173[.]25479.143.87[.]22979.143.87[.]23279.143.87[.]24079.143.87[.]24379.143.87[.]24988.80.148[.]4988.80.148[.]5389.150.40[.]4389.150.40[.]86103.140.186[.]148103.140.186[.]149103.140.186[.]155185.234.73[.]58185.234.73[.]61185.234.73[.]62

MITRE ATT&CK®

This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

TacticIDTechniqueProcedureInitial AccessT1190Exploit Public-Facing ApplicationAPT28 exploited vulnerabilities in internet facing routers.Credential AccessT1557Adversary-in-the-MiddleAPT28 conducted AitM attacks to gather account credentials.Resource DevelopmentT1583.002Acquire Infrastructure: DNS ServerAPT28 operated malicious DNS servers to conduct DNS hijacking activities.Resource DevelopmentT1583.003Acquire Infrastructure: Virtual Private ServerAPT28 used VPS infrastructure to host malicious DNS servers for conducting DNS hijacking activities.Resource DevelopmentT1584.008Compromise Infrastructure: Network DevicesAPT28 compromised routers to enable their DNS hijacking activity.Resource DevelopmentT1586Compromise AccountsAPT28 used DNS hijacking and AitM techniques to gather account credentials.Resource DevelopmentT1588.006Obtain Capabilities: Vulnerabilities APT28 used public vulnerabilities to exploit routers for use in their operations.

Mitigation

A number of mitigations will be useful in defending against the activity described in this advisory:

  • Protect the management interfaces of your systems

  • Protect your devices and networks by keeping them up to date

  • Use modern systems and software

  • Update your systems and software

  • Set up a security monitoring capability

  • Add applications to an allowlist

  • Deploy a host-based intrusion detection system

    A variety of products are available, free and paid-for, to suit different needs and budgets.

  • Use multi-factor authentication (MFA), two-step verification (2SV)/2-factor authentication(2FA)

  • Treat people as your first line of defence

    Tell staff how to report suspicious activity, and ensure they feel confident to do so. Investigate their reports promptly and thoroughly. Never punish users for clicking phishing links or opening attachments.

  • Further information

Download