Russia's APT28 Hijacks UK Business Routers for Mass Credential Theft in New DNS Campaign

Russian military intelligence has compromised thousands of UK business routers to create a global credential harvesting operation that redirects corporate internet traffic through malicious DNS servers. The National Cyber Security Centre issued an advisory yesterday revealing that APT28, also known as Fancy Bear, has weaponised vulnerable SOHO routers to steal Microsoft Office credentials and OAuth tokens from unsuspecting organisations.

The campaign demonstrates how nation-state actors are targeting foundational internet infrastructure to achieve mass surveillance capabilities. DNS hijacking allows attackers to intercept and redirect legitimate business communications by forcing traffic through attacker-controlled servers that can capture authentication credentials in real-time.

Key Facts:
- Over 18,000 victims identified across 120 countries, with UK SMEs particularly targeted
- Campaign exploits vulnerable TP-Link and MikroTik routers using known CVEs from 2023-2024
- Malicious DNS servers harvest Microsoft Office 365 credentials and OAuth authentication tokens
- NCSC attributes operation to APT28, Russia's military intelligence cyber unit (GRU)

How Router Exploitation Enables Credential Theft

According to the NCSC advisory, APT28 identifies vulnerable routers through internet scanning and exploits unpatched CVEs to gain administrative access. Once compromised, the routers are reconfigured to use attacker-controlled DNS servers instead of legitimate ones. This redirection is invisible to end users but allows the threat actors to intercept authentication requests to Microsoft services.

When employees attempt to access Office 365, Teams, or other Microsoft services, their login credentials and OAuth tokens are captured by the malicious DNS infrastructure before being passed to the legitimate service. This technique provides persistent access to corporate accounts without triggering traditional security alerts, as the authentication appears successful to both the user and Microsoft's systems.

The operation primarily targets TP-Link Archer series routers and various MikroTik models commonly deployed in UK SMEs. Many organisations treat these devices as "set and forget" infrastructure, rarely applying firmware updates or monitoring for compromise indicators. This operational blind spot has enabled APT28 to maintain persistent access across thousands of networks simultaneously.

Why UK SMEs Face Disproportionate Risk

The targeting pattern reveals APT28's strategic focus on UK small and medium enterprises, which typically lack dedicated cybersecurity resources but handle valuable intellectual property and customer data. These organisations often rely on consumer-grade or entry-level business routers that receive infrequent security updates and limited monitoring.

UK SMEs also represent attractive intelligence targets due to their integration with larger supply chains and government contractors. Compromising credentials from multiple smaller organisations can provide lateral access into larger corporate networks or government systems through business partnership relationships.

The NCSC notes that many affected organisations remain unaware of the compromise, as the DNS hijacking operates transparently and maintains normal internet functionality while capturing credentials. This stealth approach enables long-term intelligence gathering operations that can persist for months or years without detection.

Immediate Technical Countermeasures

Organisations should immediately audit their router firmware versions against published CVE databases and apply all available security updates. The NCSC specifically highlights vulnerabilities CVE-2023-1389 and CVE-2024-21762 as primary attack vectors, though APT28 maintains an arsenal of router exploits spanning multiple manufacturers.

Network administrators must verify that corporate DNS settings point to trusted resolvers and implement DNS monitoring to detect unauthorised changes. Organisations should consider deploying DNS filtering services that can identify and block malicious domains associated with credential harvesting operations.

Authentication systems require immediate review to identify potentially compromised OAuth tokens and force password resets for affected accounts. The recent surge in automated credential harvesting campaigns demonstrates how stolen credentials are rapidly monetised through secondary attacks.

Boardroom Questions

• What firmware update procedures exist for our network infrastructure, and when were our routers last patched against known vulnerabilities?
• How do we monitor for DNS configuration changes across our network, and what alerts would indicate potential compromise?
• What authentication token management policies are in place to detect and revoke compromised Microsoft Office 365 access credentials?

Quick Diagnostic

• Have you applied firmware updates to your TP-Link or MikroTik routers within the past six months?
• Do you have monitoring in place to detect changes to your network's DNS configuration?
• Can you identify and revoke all active OAuth tokens for your Microsoft 365 environment if compromise is suspected?