Skip to main content
Emerging ThreatsMalware & Ransomware

APT28 Hijacks Routers to Steal Credentials via Malicious DNS Servers

APT28 Hijacks Routers to Steal Credentials via Malicious DNS Servers

When the address you type into a browser no longer leads where you expect, whose fault is it — the website, your internet provider, or an invisible hand rerouting your traffic? That is the dilemma posed by a recent warning from the UK security agency: a state-linked hacking group has been quietly repurposing infrastructure to intercept credentials.

What the UK security agency reported

The UK security agency warned that Russian APT28 actors have been hijacking routers to steal credentials. The agency linked newly identified malicious campaigns to virtual private servers that APT28 modified to operate as malicious DNS servers. In short, the group is manipulating name resolution and routing infrastructure to capture user authentication data.

How the campaign is described

According to the agency's notice, APT28 is not merely compromising single endpoints but is using altered virtual private servers as part of a broader DNS‑level operation. Those servers are being used as malicious DNS resolvers — systems that can redirect domain name lookups — and the group is combining that capability with router hijacking to intercept credentials. The campaigns were described as newly identified by the agency, indicating recent detection rather than an isolated incident.

Why this matters

  • Credentials at risk: By redirecting DNS queries and hijacking routing, attackers can place themselves between users and legitimate services, creating opportunities to collect usernames, passwords, and other authentication data.
  • Infrastructure abuse: The use of modified virtual private servers as malicious DNS servers shows adversaries adapting cloud and hosting resources to persist and scale their operations beyond single compromised devices.
  • Detection and attribution challenges: DNS manipulation and router compromise can be stealthy; defenders may see legitimate-looking traffic even while credentials are siphoned off, complicating investigation and mitigation.

Perspectives and implications

Technologists will see this as a reminder that DNS and routing are high-value targets: defenders must monitor resolver behavior and the provenance of DNS responses. Policymakers and national security officials face the question of how to respond when a state-linked group repurposes widely available infrastructure to conduct espionage or criminal operations. Ordinary users are put in the uncomfortable position of needing to assume that credential theft can occur upstream of the websites they visit, which emphasizes the importance of multi-factor authentication and vigilance, even when connections appear normal. Adversaries gain tactical advantage from blending cloud resources and network-level manipulation, creating operations that are harder to disrupt without coordinated action across providers and governments.

The UK security agency's warning does not exhaust the technical or diplomatic fallout of these tactics. If routers and DNS resolvers become reliable vectors for credential theft, defenders must decide whether to focus on hardening endpoints, locking down network infrastructure, or pursuing international measures against the platforms that host malicious resolvers. Which of those levers will prove most effective remains the pressing question.

https://www.infosecurity-magazine.com/news/russia-apt28-hijack-routers-uk-ncsc/