Skip to content
.ca
sign in
7 minhigh

APT28 exploit routers to enable DNS hijacking operations

Russian state-sponsored threat actor APT28 is exploiting vulnerable SOHO routers to modify DHCP and DNS settings, redirecting user traffic to malicious infrastructure. This DNS hijacking facilitates Adversary-in-the-Middle (AitM) attacks designed to harvest credentials and OAuth tokens for web and email services.

Sens:ImmediateConf:highAnalyzed:2026-04-07reports

Authors: NCSC

ActorsAPT28Forest BlizzardFancy BearSTRONTIUMSednit GangSofacyGRU Unit 26165
Router CompromiseAPT28AitMCVE-2023-50224DNS Hijacking

Source:NCSC

IOCs · 2

Key Takeaways

  • APT28 is actively exploiting vulnerable SOHO routers (e.g., TP-Link, MikroTik) to alter DHCP and DNS settings.
  • The threat actors use CVE-2023-50224 to extract credentials and modify DNS configurations via crafted HTTP GET requests.
  • Malicious DNS servers redirect queries for targeted services (like Outlook) to attacker-controlled infrastructure.
  • The redirected traffic facilitates Adversary-in-the-Middle (AitM) attacks to harvest passwords and OAuth tokens.
  • The campaign is opportunistic, targeting a wide pool of victims before filtering for users of intelligence value.

Affected Systems

  • TP-Link SOHO Routers (e.g., WR841N, MR6400, Archer C5/C7)
  • MikroTik Routers
  • Downstream devices (laptops, phones) inheriting compromised DHCP settings

Vulnerabilities (CVEs)

  • CVE-2023-50224

Attack Chain

APT28 identifies vulnerable internet-facing SOHO routers and exploits them using public vulnerabilities like CVE-2023-50224 via crafted HTTP GET requests. The attackers extract router credentials and send subsequent requests to alter the router's DHCP DNS settings to point to actor-controlled VPS infrastructure. Downstream devices inherit these malicious DNS settings, causing queries for targeted domains (like Outlook) to resolve to attacker IPs. The attackers then perform Adversary-in-the-Middle (AitM) attacks to intercept and harvest user credentials and OAuth tokens.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides raw indicators of compromise (IPs, targeted domains) and VPS banner patterns, but does not include pre-built detection rules.

Detection Engineering Assessment

EDR Visibility: Low — The core exploitation occurs on network routers, and the resulting AitM traffic appears as normal browser activity to the endpoint EDR, albeit directed to a malicious IP. Network Visibility: High — Network sensors can detect anomalous DNS queries, unexpected DNS server IP assignments, and HTTP GET requests targeting router management interfaces. Detection Difficulty: Moderate — Detecting the activity requires a baseline of normal DNS servers for endpoints and active monitoring of SOHO router management interfaces, which are often unmanaged in BYOD/remote work scenarios.

Required Log Sources

  • DNS Query Logs
  • Network Flow Logs
  • Router Access Logs
  • Authentication Logs (Cloud/IdP)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Endpoints are making DNS queries to non-standard, external IP addresses instead of corporate or ISP-provided DNS servers.Network Flow Logs, DNS Query LogsCommand and ControlMedium
Unusual HTTP GET requests are targeting the management interfaces of SOHO routers, particularly attempting to access credential or configuration endpoints.Router Access Logs, WAF LogsInitial AccessLow
Successful logins to corporate cloud services (like Office 365) are originating from unknown or suspicious IP addresses, indicating potentially stolen session tokens from AitM attacks.Authentication Logs (Cloud/IdP)Credential AccessMedium

Control Gaps

  • Lack of management interface isolation on SOHO routers
  • Insufficient monitoring of DHCP-assigned DNS settings on endpoints

Key Behavioral Indicators

  • Unexpected changes to endpoint DNS configurations
  • Connections to known malicious VPS IPs
  • Presence of 'dnsmasq-2.85' on UDP 53 combined with SSH on non-standard ports (56777, 35681)

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block outbound traffic to the provided malicious IP addresses.
  • Audit SOHO routers for unauthorized changes to DHCP/DNS settings.
  • Reset credentials for any compromised routers.

Infrastructure Hardening

  • Ensure router management interfaces are not exposed to the internet.
  • Implement browse-down architecture for management access.
  • Keep router firmware updated to patch vulnerabilities like CVE-2023-50224.

User Protection

  • Enforce Multi-Factor Authentication (MFA) and consider FIDO2/hardware keys to resist AitM attacks.
  • Ensure endpoint OS and applications are fully updated.

Security Awareness

  • Train users to report suspicious login prompts or unexpected certificate warnings.
  • Implement a 'no blame' culture for reporting potential phishing or AitM interactions.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1557 - Adversary-in-the-Middle
  • T1583.002 - Acquire Infrastructure: DNS Server
  • T1583.003 - Acquire Infrastructure: Virtual Private Server
  • T1584.008 - Compromise Infrastructure: Network Devices
  • T1586 - Compromise Accounts
  • T1588.006 - Obtain Capabilities: Vulnerabilities

Additional IOCs

  • Ips:
    • 5[.]226[.]137[.]230 - APT28 malicious DNS server (Cluster 1)
    • 5[.]226[.]137[.]231 - APT28 malicious DNS server (Cluster 1)
    • 5[.]226[.]137[.]232 - APT28 malicious DNS server (Cluster 1)
    • 5[.]226[.]137[.]234 - APT28 malicious DNS server (Cluster 1)
    • 5[.]226[.]137[.]235 - APT28 malicious DNS server (Cluster 1)
    • 5[.]226[.]137[.]242 - APT28 malicious DNS server (Cluster 1)
    • 5[.]226[.]137[.]243 - APT28 malicious DNS server (Cluster 1)
    • 5[.]226[.]137[.]244 - APT28 malicious DNS server (Cluster 1)
    • 5[.]226[.]137[.]245 - APT28 malicious DNS server (Cluster 1)
    • 23[.]106[.]120[.]119 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]77 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]78 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]93 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]101 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]116 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]131 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]148 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]149 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]150 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]151 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]163 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]173 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]199 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]208 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]224 - APT28 malicious DNS server (Cluster 1)
    • 37[.]221[.]64[.]254 - APT28 malicious DNS server (Cluster 1)
    • 64[.]120[.]31[.]96 - APT28 malicious DNS server (Cluster 1)
    • 64[.]120[.]31[.]97 - APT28 malicious DNS server (Cluster 1)
    • 64[.]120[.]31[.]98 - APT28 malicious DNS server (Cluster 1)
    • 64[.]120[.]31[.]99 - APT28 malicious DNS server (Cluster 1)
    • 64[.]120[.]31[.]100 - APT28 malicious DNS server (Cluster 1)
    • 77[.]83[.]197[.]37 - APT28 malicious DNS server (Cluster 1)
    • 79[.]141[.]160[.]78 - APT28 malicious DNS server (Cluster 1)
    • 79[.]141[.]161[.]66 - APT28 malicious DNS server (Cluster 1)
    • 79[.]141[.]173[.]70 - APT28 malicious DNS server (Cluster 1)
    • 185[.]117[.]88[.]22 - APT28 malicious DNS server (Cluster 1)
    • 185[.]117[.]89[.]32 - APT28 malicious DNS server (Cluster 1)
    • 185[.]237[.]166[.]56 - APT28 malicious DNS server (Cluster 1)
    • 64[.]44[.]154[.]237 - APT28 malicious DNS server (Cluster 2)
    • 77[.]83[.]198[.]39 - APT28 malicious DNS server (Cluster 2)
    • 79[.]141[.]173[.]123 - APT28 malicious DNS server (Cluster 2)
    • 79[.]143[.]87[.]229 - APT28 malicious DNS server (Cluster 2)
    • 88[.]80[.]148[.]49 - APT28 malicious DNS server (Cluster 2)
    • 89[.]150[.]40[.]43 - APT28 malicious DNS server (Cluster 2)
    • 103[.]140[.]186[.]148 - APT28 malicious DNS server (Cluster 2)
    • 185[.]234[.]73[.]58 - APT28 malicious DNS server (Cluster 2)
  • Domains:
    • imap-mail[.]outlook[.]com - Targeted domain redirected to AitM infrastructure.
    • outlook[.]live[.]com - Targeted domain redirected to AitM infrastructure.
    • outlook[.]office[.]com - Targeted domain redirected to AitM infrastructure.
  • Other:
    • SSH on TCP port 56777 and dnsmasq-2.85 on UDP port 53 - VPS Banner Pattern 1 associated with APT28 infrastructure.
    • SSH on TCP port 35681 and dnsmasq-2.85 on UDP port 53 - VPS Banner Pattern 2 associated with APT28 infrastructure.

Related