UK exposes Russian military intelligence hijacking vulnerable routers for cyber attacks
The UK NCSC has issued an advisory warning that the Russian state-sponsored threat group APT28 is compromising vulnerable internet routers to conduct DNS hijacking. By altering DNS configurations, the attackers perform adversary-in-the-middle attacks to covertly reroute user traffic and harvest credentials and access tokens from personal web and email services.
Authors: National Cyber Security Centre (NCSC)
Source:
NCSC
Key Takeaways
- Russian state-sponsored group APT28 is exploiting vulnerable internet routers to conduct DNS hijacking.
- The compromise enables adversary-in-the-middle attacks to intercept traffic and harvest passwords and access tokens.
- Initial targeting is opportunistic, casting a wide net before narrowing down to specific intelligence targets.
- Organizations must secure router management interfaces, apply updates, and enable two-step verification to mitigate risks.
Affected Systems
- Internet routers
- Edge network devices
Attack Chain
APT28 opportunistically scans for and exploits vulnerable internet routers and edge devices. Once compromised, the attackers alter the device's DNS settings to point to actor-controlled malicious servers. When users attempt to access legitimate web and email services, their traffic is covertly rerouted, allowing the attackers to conduct adversary-in-the-middle attacks and harvest passwords and access tokens.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: None — The compromise occurs on edge network devices (routers) where standard EDR agents cannot be installed. Network Visibility: High — DNS hijacking involves rerouting traffic to anomalous DNS servers, which can be detected via network traffic analysis and DNS logging. Detection Difficulty: Moderate — Detecting unauthorized changes to router DNS configurations or spotting anomalous outbound DNS traffic to unknown resolvers is feasible with proper network monitoring, though difficult for unmonitored SOHO environments.
Required Log Sources
- DNS query logs
- Network flow logs
- Router management access logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Edge devices or internal endpoints are querying unauthorized or non-standard external DNS servers. | Network flow logs (Port 53/853 traffic) | Credential Access | Low |
Control Gaps
- Lack of EDR deployment capabilities on edge devices and SOHO routers
- Insufficient monitoring of outbound DNS traffic to non-corporate resolvers
Key Behavioral Indicators
- Unexpected changes to DNS server settings on edge devices
- Outbound DNS traffic bypassing corporate forwarders
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Restrict access to router management interfaces.
- Apply the latest firmware updates to all edge devices and routers.
Infrastructure Hardening
- Implement strict egress filtering for DNS traffic to only allow authorized corporate resolvers.
- Disable remote management on internet-facing routers.
User Protection
- Enforce Multi-Factor Authentication (MFA) or two-step verification for all web and email services to mitigate token and password theft.
Security Awareness
- Educate users on the risks of using default router credentials and outdated hardware on home networks.
MITRE ATT&CK Mapping
- T1584.004 - Compromise Infrastructure: Routers
- T1557 - Adversary-in-the-Middle