Executive Summary
In 2025, the Russian state-sponsored cyber group APT28, also known as Fancy Bear, exploited vulnerabilities in MikroTik and TP-Link routers to conduct a large-scale DNS hijacking campaign. By compromising these routers, APT28 redirected internet traffic through attacker-controlled servers, enabling adversary-in-the-middle attacks that harvested credentials from web and email services. This operation targeted a broad range of victims, including organizations linked to the UK Ministry of Defence and NATO logistics contractors, posing significant risks of credential theft, data manipulation, and broader network compromise. (ncsc.gov.uk)
This incident underscores the critical importance of securing network infrastructure against sophisticated state-sponsored threats. The exploitation of widely used routers highlights the need for organizations to implement robust security measures, including regular firmware updates, strong authentication protocols, and continuous monitoring to detect and mitigate such attacks.
Why This Matters Now
The APT28 DNS hijacking campaign exemplifies the evolving tactics of state-sponsored actors targeting network infrastructure to facilitate espionage and data theft. As similar techniques continue to emerge, organizations must prioritize the security of their network devices to prevent unauthorized access and protect sensitive information.
Attack Path Analysis
APT28 exploited vulnerabilities in MikroTik and TP-Link routers to gain initial access, escalated privileges by modifying DNS settings, moved laterally by intercepting network traffic, established command and control through malicious DNS servers, exfiltrated credentials via adversary-in-the-middle attacks, and impacted organizations by compromising sensitive data.
Kill Chain Progression
Initial Compromise
Description
APT28 exploited known vulnerabilities in MikroTik and TP-Link routers to gain unauthorized access.
Related CVEs
CVE-2023-50224
CVSS 6.5An authentication bypass vulnerability in TP-Link WR841N routers allows unauthenticated attackers to extract stored credentials via specially crafted HTTP GET requests.
Affected Products:
TP-Link WR841N – All versions prior to the patch
Exploit Status:
exploited in the wildCVE-2018-1156
CVSS 8.8An authenticated remote code execution vulnerability in MikroTik RouterOS allows attackers to execute arbitrary code on the system.
Affected Products:
MikroTik RouterOS – All versions prior to 6.42.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Adversary-in-the-Middle
Acquire Infrastructure: DNS Server
Acquire Infrastructure: Virtual Private Server
Compromise Infrastructure: Network Devices
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
APT28's router compromise campaign directly targets telecom infrastructure, enabling DNS hijacking for state-sponsored espionage through compromised SOHO networking equipment.
Government Administration
Russian state-linked APT28 espionage campaign poses critical threats to government networks through compromised routers, requiring enhanced egress security and segmentation controls.
Computer/Network Security
Security sector faces direct impact from APT28's router exploitation techniques, demanding improved threat detection capabilities and zero trust network architectures.
Financial Services
Banking networks vulnerable to APT28's DNS hijacking through compromised routers, requiring encrypted traffic controls and enhanced multicloud visibility for compliance protection.
Sources
- Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaignhttps://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.htmlVerified
- APT28 exploit routers to enable DNS hijacking operationshttps://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operationsVerified
- Multiple Vulnerabilities Discovered in MikroTik's RouterOShttps://www.tenable.com/blog/tenable-research-advisory-multiple-vulnerabilities-discovered-in-mikrotiks-routerosVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit router vulnerabilities, manipulate DNS settings, and intercept network traffic, thereby reducing the potential blast radius of such attacks.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit router vulnerabilities would likely be constrained, reducing unauthorized access opportunities.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to alter DNS settings would likely be limited, reducing the risk of traffic redirection.
Control: East-West Traffic Security
Mitigation: The attacker's ability to intercept and manipulate internal network traffic would likely be constrained, reducing lateral movement opportunities.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be limited, reducing the effectiveness of malicious DNS configurations.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of credential theft.
The attacker's ability to access and exploit sensitive data would likely be limited, reducing the overall impact of the breach.
Impact at a Glance
Affected Business Functions
- Network Security
- User Authentication
- Data Privacy
Estimated downtime: 7 days
Estimated loss: $500,000
User credentials and sensitive organizational data intercepted through DNS hijacking.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the impact of compromised devices.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
- • Deploy Multicloud Visibility & Control solutions to monitor and manage network traffic across all environments.
- • Utilize Threat Detection & Anomaly Response tools to identify and respond to suspicious activities promptly.
- • Regularly update and patch network devices to mitigate known vulnerabilities and reduce the risk of exploitation.
