A sophisticated cybercrime campaign orchestrated by Russian state-sponsored hackers, identified as APT28 (also known as Forest Blizzard or Fancy Bear), is exploiting thousands of vulnerable home and small office routers to conduct large-scale credential theft. This tactic involves DNS hijacking, where attackers redirect internet traffic to malicious servers, enabling them to intercept sensitive user data and gain access to corporate networks.
Key Takeaways
- Russian hackers are exploiting vulnerable routers, particularly TP-Link WR841N models, using DNS hijacking to steal credentials.
- The attacks target Small Office/Home Office (SOHO) devices, bypassing traditional enterprise security measures.
- APT28, linked to Russian military intelligence, is behind the campaign, aiming for cyber-espionage and intelligence gathering.
- The campaign has impacted over 200 organisations across various sectors, including government, IT, and energy.
The DNS Hijacking Method
APT28 is manipulating the Domain Name System (DNS) settings on compromised routers. By overwriting the default DNS configurations, they redirect user requests to their own controlled DNS servers. This allows them to intercept traffic destined for legitimate websites and services, including email and cloud platforms like Microsoft 365. The attackers then employ Adversary-in-the-Middle (AitM) attacks to steal login credentials and OAuth tokens.
Exploiting Vulnerable Routers
The campaign specifically targets routers with known vulnerabilities, such as the CVE-2023-50224 flaw in TP-Link WR841N routers, which allows for improper authentication and information disclosure. Attackers gain access by exploiting weak passwords or unpatched security flaws. Once inside, they can alter DNS records, directing traffic through their infrastructure. MikroTik routers have also been exploited in follow-on attacks, particularly in Ukraine.
Broader Implications and Targets
While the attacks are opportunistic, APT28 selectively targets high-value organisations after analysing the data gathered. The campaign has affected over 200 organisations across government, IT, telecommunications, and energy sectors. This method effectively bypasses robust enterprise security by compromising the less secure home networks of employees, turning personal devices into entry points for corporate espionage.
Defence and Mitigation Strategies
Security experts recommend several measures to combat this threat. Organisations should protect router management interfaces, ensure all devices and software are updated, and implement robust security monitoring. For remote workers, it’s crucial to use strong, unique passwords for routers and enable multi-factor authentication (MFA) wherever possible. Organisations are also advised to mandate phishing-resistant hardware keys and implement certificate pinning for corporate-managed endpoints to mitigate AitM attacks.
Sources
- NCSC Alert: Large-Scale Credential Theft by Russian Hackers Employs DNS Hijacking via Exploited Routers, CPO Magazine.
- ‘This puts organizations at risk of credential theft, data manipulation and broader compromise’: UK
government, Microsoft warn Russian hackers are hitting TP-Link home routers to hijack internet traffic |
TechRadar, TechRadar. - Recent Article Shows 26 Routers in Clear Suspicious Behavior Involving Injection or Credential Theft –
Tekedia, Tekedia.
