Router DNS Hijack Exposes UK Business Credentials to Russian Military Surveillance

Russian military intelligence unit APT28 has compromised thousands of UK business routers to harvest OAuth tokens and email credentials through sophisticated DNS hijacking operations, according to a fresh advisory from the National Cyber Security Centre. The campaign targets Small Office/Home Office (SOHO) routers from TP-Link and MikroTik manufacturers, redirecting authentication requests to attacker-controlled servers.

DNS hijacking involves attackers modifying a router's Domain Name System settings to redirect legitimate web traffic through malicious servers, allowing interception of sensitive authentication data. This latest campaign demonstrates how Russia's APT28 continues to target UK business infrastructure through critical network vulnerabilities.

Key Facts:
- APT28 exploits default credentials and unpatched vulnerabilities in TP-Link and MikroTik routers
- DNS redirection captures OAuth tokens for Microsoft 365, Google Workspace, and other cloud services
- Campaign affects businesses using consumer-grade routers for office connectivity
- NCSC provides specific indicators of compromise and mitigation guidance

How DNS Hijacking Bypasses Authentication Controls

The attack methodology exploits the trust relationship between users and their local network infrastructure. When employees attempt to authenticate with cloud services, the compromised router redirects their requests to attacker-controlled domains that mimic legitimate OAuth providers. These fake authentication pages harvest credentials and session tokens, providing APT28 with persistent access to business email accounts and cloud applications.

According to reporting from the NCSC, attackers specifically target routers with default administrative credentials or known firmware vulnerabilities. Once compromised, the devices serve as persistent collection points for authentication data across the entire network, affecting all connected devices without requiring individual endpoint compromise.

Immediate Technical Countermeasures

Organisations must immediately audit their router configurations and implement DNS security controls. The NCSC advisory specifies checking DNS server settings for unauthorised modifications and monitoring network traffic for suspicious authentication redirects. Firmware updates address known exploitation vectors, whilst changing default administrative credentials prevents initial compromise.

Implementing DNS filtering through services like Quad9 or OpenDNS provides additional protection against malicious domain resolution. Network segmentation isolates SOHO routers from critical business systems, limiting the scope of potential credential harvesting operations.

Boardroom Questions

• What inventory exists of all routers and network devices across our office locations, including their current firmware versions and administrative credentials?
• How does our current network architecture isolate SOHO routers from accessing critical business authentication systems?
• What monitoring capabilities can detect DNS hijacking attempts and unauthorised changes to our network infrastructure?

Quick Diagnostic

• Have you changed default administrative passwords on all office routers and network devices?
• Are your router firmware versions current with security patches applied within the last 90 days?
• Do you monitor DNS query patterns for unusual authentication redirect attempts?