NCSC issues alert over Russian hacker campaign targeting SOHO routers

The National Cyber Security Centre (NCSC) has uncovered two new Russian-linked campaigns aimed at harvesting login credentials from personal web and email services.

The APT28 group, also known as Fancy Bear or Forest Blizzard, has exploited vulnerable internet routers to enable Domain Name System (DNS) hijacking - allowing it to intercept traffic and steal sensitive data including passwords and access tokens.

In an advisory on 7 April, the security agency said the activity appears to be opportunistic in nature, starting with a scattergun approach to reach large numbers of potential victims. Thereafter, threat actors then narrow in on targets of interest as the attack develops.

Attackers redirect traffic through DNS servers under their control, with the resulting malicious DNS resolutions enabling adversary in the middle (AitM) attacks that harvest passwords, OAuth tokens, and other credentials for web and email related services.

The NCSC said it believes APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre Military Intelligence Unit 26165.

This group is believed to have been behind an attack against the German parliament in 2015, which led to data theft and disrupted the email accounts of German members of parliament and the vice chancellor, as well as an attempted attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) in 2018.

That particular attack was aimed at disrupting the independent analysis of chemicals weaponized by the GRU in the UK.

Microsoft issues separate alert

In a separate alert, Microsoft has issued a similar warning, saying that the group has been carrying out this activity since at least August 2025.

"By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments," it said.

"Microsoft Threat Intelligence has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure."

SOHO routers targeted in campaign

The first cluster of activity identified by the NCSC saw the DHCP DNS server settings of compromised small office/home office (SOHO) routers modified to include IP addresses owned by the attackers.

These settings were subsequently inherited by downstream devices such as laptops and phones.

Lookups for domain names containing key terms associated with particular services - frequently email applications or login pages - would be resolved by the malicious DNS servers to further IP addresses controlled by the group.

DNS requests that don't match the actor’s targeting criteria would instead be resolved to the legitimate IP addresses for the services being requested.

The group would then attempt to conduct AitM attacks against both user browser sessions and desktop applications, aiming to harvest user account credentials.

In the second cluster of activity, some servers received DNS requests via compromised devices including models of MikroTik and TP-Link routers. The DNS requests were forwarded from these servers to other servers under the group's control, the NCSC noted.

This cluster of infrastructure was also involved in interactive operations against a small number of MikroTik routers, mostly located in Ukraine, and probably of intelligence value to the actor.

"This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors," said Paul Chichester, NCSC director of operations.

"We strongly encourage organizations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice."

The NCSC advises organizations to protect the management interfaces of their systems, keep devices, networks, and software up to date, set up a security monitoring capability, and add applications to an allowlist.

They should also deploy a host-based intrusion detection system and use multi-factor authentication (MFA).

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.