Russian state hackers are hijacking TP-Link and MicroTik routers to steal Outlook credentials, cybersecurity center warns — APT28 group targets DNS and redirects traffic to attacker-controlled servers

The UK National Cyber Security Centre (NCSC) on Tuesday published an advisory warning that Russian state hacking group APT28 has been exploiting vulnerable small office and home office (SOHO) routers since 2024 to overwrite their DHCP and DNS settings, redirecting downstream traffic through attacker-controlled DNS servers to harvest passwords and authentication tokens for web and email services. The NCSC assesses that APT28 is "almost certainly" the Russian Main Intelligence Directorate (GRU)'s 85th Main Special Service Centre, Military Intelligence Unit 26165.

According to the advisory, the actor has been configuring virtual private servers to act as malicious DNS resolvers, then pointing compromised SOHO routers at them by rewriting the routers' DHCP DNS settings. Laptops, phones, and other downstream devices on the network inherit those settings automatically and begin sending lookups to the attacker-controlled infrastructure.

Lookups for domains tied to targeted services, such as login pages, get pointed to further attacker-owned IPs that host adversary-in-the-middle infrastructure. Meanwhile, requests outside the targeting criteria are resolved to the legitimate addresses to avoid breaking the connection.

Article continues below

Once a victim connects through the attacker's infrastructure, APT28 attempts to capture passwords and OAuth or similar authentication tokens from both browser sessions and desktop applications. Targeted domains listed in the advisory include autodiscover-s.outlook.com, imap-mail.outlook.com, outlook.live.com, outlook.office.com, and outlook.office365.com.

The TP-Link WR841N router is named by the NCSC as one of the models APT28 has been exploiting, likely using CVE-2023-50224, an unauthenticated information disclosure flaw that allows an attacker to retrieve credentials through an HTTP GET request. When the threat actor has the router’s credentials, a second GET request rewrites the DHCP DNS settings, setting the primary DNS to a malicious IP and the secondary to the original primary.

The advisory lists more than 20 additional TP-Link models targeted in the campaign, including the Archer C5 and C7, the WDR3500, WDR3600, and WDR4300, the WR1043ND, the MR3420 and MR6400 LTE routers, and several variants of the WR740N, WR840N, WR841N, WR842N, WR845N, and WR941ND. A second cluster of attacker infrastructure received DNS requests forwarded from compromised MikroTik routers as well as TP-Link gear, and was also used in interactive operations against a smaller set of MikroTik routers "often located in Ukraine" that the NCSC said were likely of intelligence value.

The NCSC describes the campaign as opportunistic, with APT28 casting a wide net across exposed routers and then filtering the resulting victim pool for targets of intelligence interest at each stage. In terms of mitigation, the NCSC recommends the usual advice of keeping router firmware updated, never exposing management interfaces to the internet, and enabling multi-factor authentication on accounts that could be vulnerable to credential theft.

APT28, also tracked as Fancy Bear, Forest Blizzard, and Sofacy, has previously been linked by the NCSC to the 2015 hack of the German Bundestag and the 2018 attempted intrusion at the Organisation for the Prohibition of Chemical Weapons.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.