The UK’s National Cyber Security Centre (NCSC) has issued a warning regarding the ongoing attacks by the Russian group APT28, also known as Fancy Bear. This group is reportedly exploiting vulnerabilities in small and home office (SOHO) routers to steal sensitive information, including passwords.
Attack Methodology
APT28 is changing the DNS server settings of compromised routers, redirecting users to malicious websites that mimic legitimate services. For instance, victims searching for Outlook may be led to a counterfeit page where they inadvertently enter their credentials. This tactic not only affects the targeted devices but can also expose downstream devices like laptops and smartphones to malicious connections.
Affected Devices and Scope
Specifically, TP-Link routers have been highlighted as targets, although Cisco routers have previously been involved in similar activities. The NCSC has been monitoring these attacks since 2021, with a separate cluster also targeting MikroTik routers. Many of the compromised devices are believed to be located in Ukraine, suggesting a potential military intelligence objective behind the attacks.
Impact and Recommendations
According to Microsoft, over 200 organizations and approximately 5,000 consumer devices have been impacted by APT28’s malicious DNS infrastructure. However, telemetry data did not indicate any compromise of Microsoft-owned assets or services. The NCSC emphasizes that this activity illustrates how vulnerabilities in widely used network devices can be exploited by sophisticated threat actors.
Ongoing Monitoring and Guidance
Paul Chichester, director of operations at the NCSC, urged organizations and network defenders to familiarize themselves with the techniques outlined in their advisory and to implement the recommended mitigations. The NCSC remains committed to exposing Russian cyber activities and providing guidance to safeguard UK networks.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
